Blog

symfony 1.1.4 released: Security fix
Symfony Live 2010 Paris Conference

« Back to the Blog

Categories

Feeds

feed Posts feed

comments feed Comments feed

symfony training
Be trained by symfony experts
Feb 15: Paris (What's new in 1.3 / 1.4 - English)
Feb 15: Paris (and Zend Framework Together - English)
Feb 15: Paris (Hosting Practices with symfony - English)
Feb 24: Paris (1.4 + Doctrine - Français)
Mar 04: Online (What's new in 1.3/1.4 - Français)
and more...

Archives

Creative Commons License This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Unported License.

In accordance with our security policy, we are releasing today symfony 1.1.4 to fix a security issue that has been reported by a symfony user earlier today. This post contains the description of the vulnerability and the description of the changes we have made to fix it. The affected symfony versions are all symfony 1.1 releases and the 1.2 branch.

Description of the vulnerability

The validation sub-framework allows the developer to embed the user submitted value in the error messages. If you use the submitted value in some of your error messages or if you use the default error messages provided by some built-in validators (see the list below), you are vulnerable because symfony will not escape the value for you.

The following built-in validators are affected because they embed the submitted values in some of their default error messages:

Resolution

As of symfony 1.1.4, we have changed the getArguments() method of the sfValidatorError class to escape the error messages. Here is the modified version of this method:

public function getArguments($raw = false)
{
  if ($raw)
  {
    return $this->arguments;
  }
 
  $arguments = array();
  foreach ($this->arguments as $key => $value)
  {
    if (is_array($value))
    {
      continue;
    }
 
    $arguments["%$key%"] = htmlspecialchars($value, ENT_QUOTES, sfValidatorBase::getCharset());
  }
 
  return $arguments;
}
 

The fix has been applied to the symfony 1.1 (changeset 11932) and 1.2 (changeset 11933) branches. You can download the patch for symfony 1.1 or symfony 1.2.

Every symfony user is encouraged to upgrade as soon as possible.

Comments comments feed

The Sensio Labs Network

Since 1998, Sensio Labs has been promoting the Open-Source software movement by providing quality web application development, training, consulting.
Sensio Labs also supports several large Open-Source projects.

Open-Source Products

Services

> More