• Grégoire Hubert
• about 1 year ago
• Releases
• 6

symfony 1.0.16 is out and fixes an important security breach. This is the shortest changelog one may find between two releases: a one line file.

• r8922: fixed yml validator file can be overriden by a remote attacker (#1617)

The issue is described in ticket #1617.

An attacker could bypass the validation process and get unsecure data through your actions. Your applications are only vulnerable is you use the :action placeholder in your routing rules. This is the case if you rely on the default symfony routing rule (/:module/:action/*).

If you use symfony 1.1, your applications are only vulnerable if you use the 1.0 compat layer.

Everybody is encouraged to upgrade as soon as possible.

For 1.0 : You can apply the patch directly from here http://trac.symfony-project.com/changeset/8922 or upgrade to 1.0.16 either by using the PEAR package (pear upgrade symfony/symfony-1.0.16) or by using the Debian package.

For 1.1 : You can apply the patch available here http://trac.symfony-project.com/changeset/8925. The patch will be part of the next 1.1 release candidate.

Comments

• 

  #1 Atko said about 14 hours later

  Great job!

• 

  #2 Massimiliano said about 15 hours later

  I tried to upgrade, but I got:

  WARNING: failed to download pear.symfony-project.com/symfony, version "1.0.16", will instead download version 1.0.15, stability "stable"

• 

  #3 Suparno said about 19 hours later

  Hello All,
  I have made a new module in apps of MyProject
  using symfony propel-generate-crud Foldername programname ProgramName.

  But it didn't generate generator.yml in config folder.

  Then I used the command

  symfony propel-init-admin FolderName programname ProgramName.

  It generated generator.yml.
  I added the code

  list:
  max_per_page:1

  Since there are 2 data in the perticular table.

  But the Pagination doesn't display, which was suppose to by default.

  Please suggest as sson as process for the process to make the pagination work from actions.class.php, layout.php or any other template page, and myclass.php.

  I need this help as soon as possible.
  

• 

  #4 halfer said about 19 hours later

  @Suparno - the comments on the blog are an inappropriate place for general support questions. I believe you have also asked this on the fora, so please await an answer there, or ask on the users' mailing list.

• 

  #5 Hugo said 1 day later

  My Symfony 1.0 is now up to date ! Thanks a lot for this important version ;)

• 

  #6 arhak said 22 days later

  Oh, this is huge!
  This is why every website should reconsider revealing a "powered by Symfony" signature.
  There are a few issues in Symfony that should be discourage for production, only encouraged for RAD prototyping