Security releases (CVE-2014-4931): Symfony 2.3.18, 2.4.8, and 2.5.2 released
Symfony 2.3.18, 2.4.8, and 2.5.2 have just been released; they contain a security fix for the Translator class provided by FrameworkBundle (CVE-2014-4931).
The Symfony versions released today also contain a server-side mitigation for a JSONP vulnerability as described in CVE-2014-4671. You can learn more about this at Abusing JSONP with Rosetta Flash. Also, if you are using NelmioSecurityBundle, disable the content type sniffing for script resources.
All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the FrameworkBundle coming from the Symfony full-stack framework are affected by this issue. The translator component by itself is not vulnerable.
Your Symfony application is vulnerable if you meet the following conditions:
- You are using the Symfony translation system from FrameworkBundle (so basically if you are using Symfony full-stack -- you are not affected if you are using the Translation component with Silex for instance);
- You don't sanitize locales coming from a URL (any route with a
_localeargument for instance):
When vulnerable, an attacker can submit a non-valid locale value that can contain some PHP code that will be executed by Symfony. That's because the locale value is dumped into a PHP file generated in the cache without being sanitized first.
This patch solves the issue by rejecting locales that contain characters outside the range of valid ones for locales. Symfony does not validate the locale as someone can create any locale name if he wants to. So, this patch makes everything secure without breaking BC (except if the developer uses a locale with "strange" characters, but I doubt it's that widespread.)
You need to upgrade Symfony to its latest version, according to the branch you are using for your project, or you can apply the following patche: https://github.com/symfony/symfony/commit/06a80fbdbe744ad6f3010479ba64ef5cf35dd 9af.patch
I would like to thank Jeremy Derussé for reporting this security issue and for providing a patch.
To be notified about important Symfony dates, consider subscribing to the roadmap notifications.
Comments are closed.
To ensure that comments stay relevant, they are closed for old posts.