fixed

--
Fabien Potencier
Sensio CEO - symfony lead developer
sensiolabs.com | symfony-project.com | aide-de-camp.org
Tél: +33 1 40 99 80 80


Frank Stelzer wrote:
> Hi Fabien,
> Only a small report:
> i get a white page on the installation page 
> http://www.symfony-project.org/installation 
> .
> 
> - Frank
> 
> Am 03.10.2008 um 22:08 schrieb Fabien Potencier:
> 
>> In accordance with our security policy, we are releasing today symfony
>> 1.1.4 to fix a security issue that has been reported by a symfony user
>> earlier today. This post contains the description of the vulnerability
>> and the description of the changes we have made to fix it. The  
>> affected
>> symfony versions are all symfony 1.1 releases and the 1.2 branch.
>>
>> Description of the vulnerability
>> --------------------------------
>>
>> The validation sub-framework allows the developer to embed the user
>> submitted value in the error messages. If you use the submitted  
>> value in
>> some of your error messages or if you use the default error messages
>> provided by some built-in validators (see the list below), you are
>> vulnerable because symfony will not escape the value for you.
>>
>> The following built-in validators are affected because they embed the
>> submitted values in some of their default error messages:
>>
>>   * sfValidatorDate
>>   * sfValidatorFile
>>   * sfValidatorInteger
>>   * sfValidatorNumber
>>   * sfValidatorString
>>   * sfValidatorTime
>>
>> Resolution
>> ----------
>>
>> As of symfony 1.1.4, we have changed the getArguments() method of the
>> sfValidatorError class to escape the error messages. Here is the
>> modified version of this method:
>>
>>     [php]
>>     public function getArguments($raw = false)
>>     {
>>       if ($raw)
>>       {
>>         return $this->arguments;
>>       }
>>
>>       $arguments = array();
>>       foreach ($this->arguments as $key => $value)
>>       {
>>         if (is_array($value))
>>         {
>>           continue;
>>         }
>>
>>         $arguments["%$key%"] = htmlspecialchars($value, ENT_QUOTES,
>> sfValidatorBase::getCharset());
>>       }
>>
>>       return $arguments;
>>     }
>>
>> The fix has been applied to the symfony 1.1 (changeset 11932) and 1.2
>> (changeset 11933) branches. You can download the patch for symfony 1.1
>> or symfony 1.2 in the symfony trac.
>>
>> Every symfony user is encouraged to upgrade as soon as possible.
>>
>> -- 
>> Fabien Potencier
>> Sensio CEO - symfony lead developer
>> sensiolabs.com | symfony-project.com | aide-de-camp.org
>> Tél: +33 1 40 99 80 80
>>
>>
> 
> 
> > 
> 


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/symfony-devs?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to