symfony 1.1.4 released: Security fix
In accordance with our security policy, we are releasing today symfony 1.1.4 to fix a security issue that has been reported by a symfony user earlier today. This post contains the description of the vulnerability and the description of the changes we have made to fix it. The affected symfony versions are all symfony 1.1 releases and the 1.2 branch.
Description of the vulnerability
The validation sub-framework allows the developer to embed the user submitted value in the error messages. If you use the submitted value in some of your error messages or if you use the default error messages provided by some built-in validators (see the list below), you are vulnerable because symfony will not escape the value for you.
The following built-in validators are affected because they embed the submitted values in some of their default error messages:
sfValidatorDate
sfValidatorFile
sfValidatorInteger
sfValidatorNumber
sfValidatorString
sfValidatorTime
Resolution
As of symfony 1.1.4, we have changed the getArguments()
method of the sfValidatorError
class to escape the error messages. Here is the modified version of this method:
[php]
public function getArguments($raw = false)
{
if ($raw)
{
return $this->arguments;
}
$arguments = array();
foreach ($this->arguments as $key => $value)
{
if (is_array($value))
{
continue;
}
$arguments["%$key%"] = htmlspecialchars($value, ENT_QUOTES, sfValidatorBase::getCharset());
}
return $arguments;
}
The fix has been applied to the symfony 1.1 (changeset 11932) and 1.2 (changeset 11933) branches. You can download the patch for symfony 1.1 or symfony 1.2.
Every symfony user is encouraged to upgrade as soon as possible.
Have found a security issue in Symfony? Send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.
Help the Symfony project!
As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.
Comments
Comments are closed.
To ensure that comments stay relevant, they are closed for old posts.
Fyi, in all my 1.1 freshly updated project, the sf version shows 1.1.5-DEV.
i've installed 1.1.3, how do i update to 1.1.4 with the patch? Do you install it manually or can the patch be run as a script?
Thanks.
On the other hand...excellent work! Keep going