fixed -- Fabien Potencier Sensio CEO - symfony lead developer sensiolabs.com | symfony-project.com | aide-de-camp.org Tél: +33 1 40 99 80 80
Frank Stelzer wrote: > Hi Fabien, > Only a small report: > i get a white page on the installation page > http://www.symfony-project.org/installation > . > > - Frank > > Am 03.10.2008 um 22:08 schrieb Fabien Potencier: > >> In accordance with our security policy, we are releasing today symfony >> 1.1.4 to fix a security issue that has been reported by a symfony user >> earlier today. This post contains the description of the vulnerability >> and the description of the changes we have made to fix it. The >> affected >> symfony versions are all symfony 1.1 releases and the 1.2 branch. >> >> Description of the vulnerability >> -------------------------------- >> >> The validation sub-framework allows the developer to embed the user >> submitted value in the error messages. If you use the submitted >> value in >> some of your error messages or if you use the default error messages >> provided by some built-in validators (see the list below), you are >> vulnerable because symfony will not escape the value for you. >> >> The following built-in validators are affected because they embed the >> submitted values in some of their default error messages: >> >> * sfValidatorDate >> * sfValidatorFile >> * sfValidatorInteger >> * sfValidatorNumber >> * sfValidatorString >> * sfValidatorTime >> >> Resolution >> ---------- >> >> As of symfony 1.1.4, we have changed the getArguments() method of the >> sfValidatorError class to escape the error messages. Here is the >> modified version of this method: >> >> [php] >> public function getArguments($raw = false) >> { >> if ($raw) >> { >> return $this->arguments; >> } >> >> $arguments = array(); >> foreach ($this->arguments as $key => $value) >> { >> if (is_array($value)) >> { >> continue; >> } >> >> $arguments["%$key%"] = htmlspecialchars($value, ENT_QUOTES, >> sfValidatorBase::getCharset()); >> } >> >> return $arguments; >> } >> >> The fix has been applied to the symfony 1.1 (changeset 11932) and 1.2 >> (changeset 11933) branches. You can download the patch for symfony 1.1 >> or symfony 1.2 in the symfony trac. >> >> Every symfony user is encouraged to upgrade as soon as possible. >> >> -- >> Fabien Potencier >> Sensio CEO - symfony lead developer >> sensiolabs.com | symfony-project.com | aide-de-camp.org >> Tél: +33 1 40 99 80 80 >> >> > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
