Hi Fabien,
Only a small report:
i get a white page on the installation page
http://www.symfony-project.org/installation
.
- Frank
Am 03.10.2008 um 22:08 schrieb Fabien Potencier:
>
> In accordance with our security policy, we are releasing today symfony
> 1.1.4 to fix a security issue that has been reported by a symfony user
> earlier today. This post contains the description of the vulnerability
> and the description of the changes we have made to fix it. The
> affected
> symfony versions are all symfony 1.1 releases and the 1.2 branch.
>
> Description of the vulnerability
> --------------------------------
>
> The validation sub-framework allows the developer to embed the user
> submitted value in the error messages. If you use the submitted
> value in
> some of your error messages or if you use the default error messages
> provided by some built-in validators (see the list below), you are
> vulnerable because symfony will not escape the value for you.
>
> The following built-in validators are affected because they embed the
> submitted values in some of their default error messages:
>
> * sfValidatorDate
> * sfValidatorFile
> * sfValidatorInteger
> * sfValidatorNumber
> * sfValidatorString
> * sfValidatorTime
>
> Resolution
> ----------
>
> As of symfony 1.1.4, we have changed the getArguments() method of the
> sfValidatorError class to escape the error messages. Here is the
> modified version of this method:
>
> [php]
> public function getArguments($raw = false)
> {
> if ($raw)
> {
> return $this->arguments;
> }
>
> $arguments = array();
> foreach ($this->arguments as $key => $value)
> {
> if (is_array($value))
> {
> continue;
> }
>
> $arguments["%$key%"] = htmlspecialchars($value, ENT_QUOTES,
> sfValidatorBase::getCharset());
> }
>
> return $arguments;
> }
>
> The fix has been applied to the symfony 1.1 (changeset 11932) and 1.2
> (changeset 11933) branches. You can download the patch for symfony 1.1
> or symfony 1.2 in the symfony trac.
>
> Every symfony user is encouraged to upgrade as soon as possible.
>
> --
> Fabien Potencier
> Sensio CEO - symfony lead developer
> sensiolabs.com | symfony-project.com | aide-de-camp.org
> Tél: +33 1 40 99 80 80
>
>
> >
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
-~----------~----~----~----~------~----~------~--~---
