symfony 1.0.16 is out

May 14, 2008 · Published by Avatar of Grégoire Hubert Grégoire Hubert

symfony 1.0.16 is out and fixes an important security breach. This is the shortest changelog one may find between two releases: a one line file.

  • r8922: fixed yml validator file can be overriden by a remote attacker (#1617)

The issue is described in ticket #1617.

An attacker could bypass the validation process and get unsecure data through your actions. Your applications are only vulnerable is you use the :action placeholder in your routing rules. This is the case if you rely on the default symfony routing rule (/:module/:action/*).

If you use symfony 1.1, your applications are only vulnerable if you use the 1.0 compat layer.

Everybody is encouraged to upgrade as soon as possible.

For 1.0 : You can apply the patch directly from here http://trac.symfony-project.com/changeset/8922 or upgrade to 1.0.16 either by using the PEAR package (pear upgrade symfony/symfony-1.0.16) or by using the Debian package.

For 1.1 : You can apply the patch available here http://trac.symfony-project.com/changeset/8925. The patch will be part of the next 1.1 release candidate.

 

Published in #Releases #Security Advisories

Have found a security issue in Symfony? Send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.

Manage your notification preferences to receive an email as soon as a Symfony security release is published.

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.

Comments

Avatar of Atko
Atko said on May 15, 2008
Great job!
Avatar of Massimiliano
Massimiliano said on May 15, 2008
I tried to upgrade, but I got:

WARNING: failed to download pear.symfony-project.com/symfony, version "1.0.16", will instead download version 1.0.15, stability "stable"
Avatar of Suparno
Suparno said on May 15, 2008
Hello All,
I have made a new module in apps of MyProject
using symfony propel-generate-crud Foldername programname ProgramName.

But it didn't generate generator.yml in config folder.

Then I used the command

symfony propel-init-admin FolderName programname ProgramName.

It generated generator.yml.
I added the code

list:
max_per_page:1

Since there are 2 data in the perticular table.

But the Pagination doesn't display, which was suppose to by default.

Please suggest as sson as process for the process to make the pagination work from actions.class.php, layout.php or any other template page, and myclass.php.

I need this help as soon as possible.
Avatar of halfer
halfer said on May 15, 2008
@Suparno - the comments on the blog are an inappropriate place for general support questions. I believe you have also asked this on the fora, so please await an answer there, or ask on the users' mailing list.
Avatar of Hugo
Hugo said on May 16, 2008
My Symfony 1.0 is now up to date ! Thanks a lot for this important version ;)
Avatar of arhak
arhak said on Jun 5, 2008
Oh, this is huge!
This is why every website should reconsider revealing a "powered by Symfony" signature.
There are a few issues in Symfony that should be discourage for production, only encouraged for RAD prototyping

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.