Security release: Symfony 2.0.19 and 2.1.4

November 29, 2012 · Published by Avatar of Fabien Potencier Fabien Potencier

I've just released Symfony 2.0.19 and 2.1.4. Both releases contain a security fix.

Damien Tournoud, from the Drupal security team, contacted us two days ago about a security issue in the Request::getClientIp() method when the trust proxy mode is enabled (Request::trustProxyData()).

An application is vulnerable if it uses the client IP address as returned by the Request::getClientIp() method for sensitive decisions like IP based access control.

To fix this security issue, the following changes have been made to all versions of Symfony2:

A new Request::setTrustedProxies() method has been introduced and should be used intead of Request::trustProxyData() to enable the trust proxy mode. It takes an array of trusted proxy IP addresses as its argument:

// before (probably in your front controller script)
Request::trustProxyData();

// after
Request::setTrustedProxies(array('1.1.1.1'));
// 1.1.1.1 being the IP address of a trusted reverse proxy

The Request::trustProxyData() method has been deprecated (when used, it automatically trusts the latest proxy in the chain -- which is the current remote address):

Request::trustProxyData();

// is equivalent to
Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR')));

We encourage all Symfony2 users to upgrade as soon as possible. It you don't want to upgrade to the latest version yet, you can also apply the following patches:

  • Patch for Symfony 2.0.19
  • Patch for Symfony 2.1.4
Published in #Releases #Security Advisories

Have found a security issue in Symfony? Send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.

Manage your notification preferences to receive an email as soon as a Symfony security release is published.

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.

Comments

Avatar of Mike Kamornikov
Mike Kamornikov said on Nov 29, 2012
There was a security audit done by Sektion Eins like a year ago. I've found a post about problems found/fixed in Symfony2 itself but no info about Doctrine and Twig. Any info on that? Just curious )
Avatar of Xavier HAUSHERR
Xavier HAUSHERR said on Nov 29, 2012
What about the "trust_proxy_headers: true" configuration ?
Is there any configuration to inject a list of trusted proxies ?
Avatar of Tom Boutell
Tom Boutell said on Nov 29, 2012
Is there any risk to an app that hasn't gone out of its way to trust a proxy in some fashion or to do IP-based access control?

Thanks for keeping Symfony secure!
Avatar of Loïc Vernet
Loïc Vernet Certified said on Nov 29, 2012
The title is wrong it should be: "Symfony 2.0.19 and 2.1.4".

Thanks for the release. ;)
Avatar of Loïc Vernet
Loïc Vernet Certified said on Nov 30, 2012
This file does not exists like as previous version: https://raw.github.com/symfony/symfony-standard/v2.0.19/deps.lock (was OK for 2.0.18) The tag is missing.
Avatar of Toan Nguyen
Toan Nguyen said on Dec 2, 2012
Thank for release.

btw, composer works well at this time.
Avatar of Fabien Potencier
Fabien Potencier Certified said on Dec 20, 2012
As of Symfony 2.0.20 and 2.1.5, there is a new trusted_proxies settings if you don't want to configure trusted proxies in your front controllers.
Avatar of wenming tang
wenming tang said on Jan 18, 2013
Is very good

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.