Security release: Symfony 2.0.19 and 2.1.4

November 29, 2012 Fabien Potencier

I've just released Symfony 2.0.19 and 2.1.4. Both releases contain a security fix.

Damien Tournoud, from the Drupal security team, contacted us two days ago about a security issue in the Request::getClientIp() method when the trust proxy mode is enabled (Request::trustProxyData()).

An application is vulnerable if it uses the client IP address as returned by the Request::getClientIp() method for sensitive decisions like IP based access control.

To fix this security issue, the following changes have been made to all versions of Symfony2:

A new Request::setTrustedProxies() method has been introduced and should be used intead of Request::trustProxyData() to enable the trust proxy mode. It takes an array of trusted proxy IP addresses as its argument:

// before (probably in your front controller script)
Request::trustProxyData();

// after
Request::setTrustedProxies(array('1.1.1.1'));
// 1.1.1.1 being the IP address of a trusted reverse proxy

The Request::trustProxyData() method has been deprecated (when used, it automatically trusts the latest proxy in the chain -- which is the current remote address):

Request::trustProxyData();

// is equivalent to
Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR')));

We encourage all Symfony2 users to upgrade as soon as possible. It you don't want to upgrade to the latest version yet, you can also apply the following patches:

Patch for Symfony 2.0.19
Patch for Symfony 2.1.4

If you have found a security issue in Symfony, please send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.

Comments

Mike Kamornikov said on Nov 29, 2012 at 14:22 #1

There was a security audit done by Sektion Eins like a year ago. I've found a post about problems found/fixed in Symfony2 itself but no info about Doctrine and Twig. Any info on that? Just curious )

Xavier HAUSHERR said on Nov 29, 2012 at 14:23 #2

What about the "trust_proxy_headers: true" configuration ?
Is there any configuration to inject a list of trusted proxies ?

Tom Boutell said on Nov 29, 2012 at 15:32 #3

Is there any risk to an app that hasn't gone out of its way to trust a proxy in some fashion or to do IP-based access control?

Thanks for keeping Symfony secure!

Loïc Vernet said on Nov 29, 2012 at 16:38 #4

The title is wrong it should be: "Symfony 2.0.19 and 2.1.4".

Thanks for the release. ;)

Loïc Vernet said on Nov 30, 2012 at 10:36 #5

This file does not exists like as previous version: https://raw.github.com/symfony/symfony-standard/v2.0.19/deps.lock (was OK for 2.0.18) The tag is missing.

Toan Nguyen said on Dec 02, 2012 at 15:13 #6

Thank for release.

btw, composer works well at this time.

Fabien Potencier said on Dec 20, 2012 at 18:00 #7

As of Symfony 2.0.20 and 2.1.5, there is a new trusted_proxies settings if you don't want to configure trusted proxies in your front controllers.

wenming tang said on Jan 18, 2013 at 07:11 #8

Is very good

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.