[symfony-devs] symfony 1.1.4 released: Security fix

[Fabien Potencier]

In accordance with our security policy, we are releasing today symfony 
1.1.4 to fix a security issue that has been reported by a symfony user 
earlier today. This post contains the description of the vulnerability 
and the description of the changes we have made to fix it. The affected 
symfony versions are all symfony 1.1 releases and the 1.2 branch.

Description of the vulnerability
--------------------------------

The validation sub-framework allows the developer to embed the user 
submitted value in the error messages. If you use the submitted value in 
some of your error messages or if you use the default error messages 
provided by some built-in validators (see the list below), you are 
vulnerable because symfony will not escape the value for you.

The following built-in validators are affected because they embed the 
submitted values in some of their default error messages:

   * sfValidatorDate
   * sfValidatorFile
   * sfValidatorInteger
   * sfValidatorNumber
   * sfValidatorString
   * sfValidatorTime

Resolution
----------

As of symfony 1.1.4, we have changed the getArguments() method of the 
sfValidatorError class to escape the error messages. Here is the 
modified version of this method:

     [php]
     public function getArguments($raw = false)
     {
       if ($raw)
       {
         return $this->arguments;
       }

       $arguments = array();
       foreach ($this->arguments as $key => $value)
       {
         if (is_array($value))
         {
           continue;
         }

         $arguments["%$key%"] = htmlspecialchars($value, ENT_QUOTES, 
sfValidatorBase::getCharset());
       }

       return $arguments;
     }

The fix has been applied to the symfony 1.1 (changeset 11932) and 1.2 
(changeset 11933) branches. You can download the patch for symfony 1.1 
or symfony 1.2 in the symfony trac.

Every symfony user is encouraged to upgrade as soon as possible.

-- 
Fabien Potencier
Sensio CEO - symfony lead developer
sensiolabs.com | symfony-project.com | aide-de-camp.org
Tél: +33 1 40 99 80 80


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"symfony developers" group.
To post to this group, send email to symfony-devs@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/symfony-devs?hl=en
-~----------~----~----~----~------~----~------~--~---