Affected versions
Symfony versions >=2.8.0, <2.36.0, >=3.0.0, <3.1.0 of the Symfony UX Live Component component are affected by this security issue.
The issue has been fixed in Symfony 2.36.0, 3.1.0.
Description
When a #[LiveProp] is typed as a DateTimeInterface and no explicit
format is configured,
Symfony\UX\LiveComponent\LiveComponentHydrator::hydrateObjectValue() falls
back to new $className($value). The DateTime / DateTimeImmutable
constructors accept relative strings such as "now", "tomorrow", or
"+10 years", so a writable, format-less date prop can be pushed to an
arbitrary point in time by the client. Components that rely on a date prop to
gate time-based business logic can be moved past those checks by a frontend
payload that no maintainer would consider a valid date.
Resolution
hydrateObjectValue() now parses format-less date props strictly with
createFromFormat(DateTimeInterface::RFC3339, ...), matching the format
already emitted by dehydrateObjectValue(). Normal round-trips are
unaffected; only inputs that aren't valid RFC 3339 are now rejected, which is
consistent with how a format-configured prop already behaved.
The patch for this issue is available here for branch 2.x (and forward-ported to 3.x).
Credits
We would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.