Affected versions
Symfony versions <5.4.46; >=6, <6.4.14; >=7, <7.1.7 of the Symfony Runtime component are affected by this security issue.
The issue has been fixed in Symfony 5.4.46, 6.4.14, and 7.1.7.
Description
When the register_argc_argv
php directive is set to on
, and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request.
Resolution
The SymfonyRuntime
now ignores the argv
values for non-cli SAPIs PHP runtimes
The patch for this issue is available here for branch 5.4.
Credits
We would like to thank Vladimir Dusheyko for reporting the issue and Wouter de Jong for providing the fix.
The parameter is named
register_argc_argv
notregister_argv_argc
, see https://www.php.net/manual/en/ini.core.php#ini.register-argc-argvIf you're using Symfony Docker or the API Platform distribution, your project isn't affected because our skeletons provide safe PHP defaults.
This is pretty bad. This parameter is activated by default on most hosts (platform.sh is an example).
Thanks for fixing the problem quickly.
@Thomas fixed thanks. @Renaud it's Off by default on Platform.sh, also in Debian-based distributions and many others I guess. It's On in the official Docker image unfortunately.
Ok thanks! I guess in CLI "php -i" is going to show it On because it's CLI, that's what confused me.
Indeed, this option is hardcoded as "On" for the CLI SAPI. So checking
php -i
will not give you the correct insights :)