In accordance with our security policy, we are releasing today symfony 1.2.6 to fix a security issue that has been spotted by the symfony core team.

This post contains the description of the vulnerability and the description of the changes we have made to fix it. The affected symfony versions are all symfony 1.2 releases and the 1.3 branch.

Description of the vulnerability

The new admin generator can be configured via the generator.yml configuration file. To create or modify an existing record, the admin generator uses the form associated with the model class. This form can be customized via the form, edit, and new sections.

The display entry of these sections allows the regrouping of form fields in field sets. If you use this option to hide some fields defined in the form class, and if these fields are not required, you might think it works correctly. It does not. As stated in the documentation, you must list all form fields in the display section. The correct way to hide form fields in the admin generator is to unset them from the form class itself:

class ArticleForm extends BaseArticleForm
  public function configure()
    // safely remove the is_admin field from the form

If not, a malicious user can potentially inject values for fields for which he does not have the right for (as it won't be caught by the security measure implemented by the allow_extra_fields setting of the form).

To sum up, you are potentially affected if you use the new admin generator bundled with symfony 1.2 (Propel or Doctrine) and have removed some form fields in the display entry of the generator.yml form sections without unsetting them in the corresponding form class.


As of symfony 1.2.6, the new admin generator prevents such a problem by automatically unsetting the hiding fields from the form object (but not the hidden fields).

If you are affected, you can fix the problem by:

  • Upgrading to symfony 1.2.6;

  • Applying the patch for symfony 1.2.5

  • Editing your form classes and unsetting the fields you want to hide from the edit or new form (as show above in the small example).

The symfony 1.2.6 release is based on the 1.2.5 version and only contains the security fix as a difference. All other pending changes have been moved to the upcoming 1.2.7 release.