Security Release: symfony 1.3.6 and 1.4.6

New releases for symfony 1.3 and 1.4 have been packaged sooner than expected to address a security vulnerability reported yesterday. It is strongly recommended that all applications running symfony 1.3 and 1.4 upgrade to this latest release immediately.

The Security Fix

One of the enhancements added to symfony 1.3 and 1.4 was the ability to cache rendered templates even when the current URL includes GET parameters (i.e. /feed?page=2). These parameters are used to create a unique cache key, which is then used to generate the directory structure where the cache files are stored.

These incoming parameters were not being properly cleaned, resulting the potential for directory traversal. For example, the response for /feed?page=.. would be stored higher in the cache's directory structure than intended. The extent of the vulnerability depends on how each deployment's file permissions are configured and only applies to applications with the cache setting enabled in settings.yml.

To see the changeset checkout r30031.

How to Upgrade

If you've checked out a copy of the tag from Subversion you can switch to the latest version:

// symfony 1.3
$ svn switch http://svn.symfony-project.com/tags/RELEASE_1_3_6

// symfony 1.4
$ svn switch http://svn.symfony-project.com/tags/RELEASE_1_4_6

If you are using the PEAR package you can update using the pear command:

// symfony 1.3
$ pear upgrade symfony/symfony-1.3.6

// symfony 1.4
$ pear upgrade symfony/symfony-1.4.6

How to Report Security Issues

As we've stated in the past, please report security-related issues to security [at] symfony-project [dot] com rather than posting them directly to Trac. This will give the core team the opportunity to review and address the issue before word gets out.