Security release: symfony 1.4.20 released

symfony 1.4.20 has just been released and it contains a security fix.

Uli Hecht contacted us a couple of days ago about a security issue in symfony 1.4. The vulnerability allows reading any file stored on the server if it is readable by the web server. Your application is vulnerable if there is a form that contains a file upload field and the uploaded file is stored under a web-accessible area (somewhere under the web root directory).

If you are vulnerable, we highly recommend you to upgrade as soon as possible, and if it is not possible, please apply the following patch:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Index: lib/form/sfForm.class.php
===================================================================
--- lib/form/sfForm.class.php       (revision 33597)
+++ lib/form/sfForm.class.php       (working copy)
@@ -222,6 +222,8 @@
       $this->taintedFiles = array();
     }

+    $this->checkTaintedValues($this->taintedValues);
+
     try
     {
       $this->doBind(self::deepArrayUnion($this->taintedValues, self::convertFileInformation($this->taintedFiles)));
@@ -1336,4 +1338,24 @@

     return $array1;
   }
+
+  /**
+   * Checks that the $_POST values do not contain something that
+   * looks like a file upload (coming from $_FILE).
+   */
+  protected function checkTaintedValues($values)
+  {
+    foreach ($values as $name => $value)
+    {
+      if (!is_array($value)) {
+        continue;
+      }
+
+      if (isset($value['tmp_name'])) {
+        throw new InvalidArgumentException('Do not try to fake a file upload.');
+      }
+
+      $this->checkTaintedValues($value);
+    }
+  }
 }

Here are the other changes for this release: CHANGELOG:

  • [33545] fixed sfPDOSessionStorage for Oracle (closes #10022)
  • [33544] fixed sfWebRequest::splitHttpAcceptHeader incorrect result order (closes #10069, patch by Keri Henare)
  • [33539] fixed exception format when using the PHP 5.4 built-in server (closes #10067, based on a patch from jgskin)
  • [33486] fixed sfPDODatabase::call() method (closes #10044)

If you've checked out a copy of the tag from Subversion you can switch to the latest version:

1
$ svn switch http://svn.symfony-project.com/tags/RELEASE_1_4_20

If you are using the PEAR package you can update using the pear command:

1
$ pear upgrade symfony/symfony-1.4.20

And as always, don't forget to clear your cache after upgrading.

If you have found a security issue in Symfony, please send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.

Comments

Seems that Swift Mailer also was updated. Swift_Mime_SimpleMessage::__construct now has 5 parameters. The fourth is new (Swift_Mime_Grammar).

Unfortunately there is nothing to find in the changelog about that :-)
@fabpot I think the vulnerability apply also for the forms that store files in a private folder and allow the user to download them through a controller.

would you update the git mirror ?
Important update
Just updated to 1.4.20 in my one project
Can't found 1.4.20 in Legacy releases combo.
Not sure but swift is now causing a ton of problems. Had to revert 3 servers back to a previous versions.
#5: I confirm that! I've just wasted a whole day on Xdebugging only to find that all those fatal errors I had were caused by the Swiftmailer update. Symfony 1.4.20 is NOT backward compatible if you use Swiftmailer in a certain way. If you had enqueued bunch of emails using previous version (in my case: 1.4.18) and you try to send them using the new one, lot of problems come up and all of them are related to unserialization and to the recently added Swift_Mime_Grammar class.
My problem is even worse now, because a production server had been using 1.4.20 for some time and my email queue consists of mixed .18- and .20-enqueued emails, so both code revisions give fatals on send attempts :(

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.