Security release: symfony 1.4.20 released
November 25, 2012 • Published by Fabien Potencier
symfony 1.4.20 has just been released and it contains a security fix.
Uli Hecht contacted us a couple of days ago about a security issue in symfony 1.4. The vulnerability allows reading any file stored on the server if it is readable by the web server. Your application is vulnerable if there is a form that contains a file upload field and the uploaded file is stored under a web-accessible area (somewhere under the web root directory).
If you are vulnerable, we highly recommend you to upgrade as soon as possible, and if it is not possible, please apply the following patch:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
Index: lib/form/sfForm.class.php
===================================================================
--- lib/form/sfForm.class.php (revision 33597)
+++ lib/form/sfForm.class.php (working copy)
@@ -222,6 +222,8 @@
$this->taintedFiles = array();
}
+ $this->checkTaintedValues($this->taintedValues);
+
try
{
$this->doBind(self::deepArrayUnion($this->taintedValues, self::convertFileInformation($this->taintedFiles)));
@@ -1336,4 +1338,24 @@
return $array1;
}
+
+ /**
+ * Checks that the $_POST values do not contain something that
+ * looks like a file upload (coming from $_FILE).
+ */
+ protected function checkTaintedValues($values)
+ {
+ foreach ($values as $name => $value)
+ {
+ if (!is_array($value)) {
+ continue;
+ }
+
+ if (isset($value['tmp_name'])) {
+ throw new InvalidArgumentException('Do not try to fake a file upload.');
+ }
+
+ $this->checkTaintedValues($value);
+ }
+ }
}
Here are the other changes for this release: CHANGELOG:
- [33545] fixed sfPDOSessionStorage for Oracle (closes #10022)
- [33544] fixed sfWebRequest::splitHttpAcceptHeader incorrect result order (closes #10069, patch by Keri Henare)
- [33539] fixed exception format when using the PHP 5.4 built-in server (closes #10067, based on a patch from jgskin)
- [33486] fixed sfPDODatabase::call() method (closes #10044)
If you've checked out a copy of the tag from Subversion you can switch to the latest version:
1
$ svn switch http://svn.symfony-project.com/tags/RELEASE_1_4_20
If you are using the PEAR package you can update using the pear command:
1
$ pear upgrade symfony/symfony-1.4.20
And as always, don't forget to clear your cache after upgrading.
Help the Symfony project!
As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.
Comments are closed.
To ensure that comments stay relevant, they are closed for old posts.
Unfortunately there is nothing to find in the changelog about that :-)
would you update the git mirror ?
Just updated to 1.4.20 in my one project
My problem is even worse now, because a production server had been using 1.4.20 for some time and my email queue consists of mixed .18- and .20-enqueued emails, so both code revisions give fatals on send attempts :(