Thanks (for everything :D) !
Am 04.10.2008 um 09:23 schrieb Fabien Potencier: > > fixed > > -- > Fabien Potencier > Sensio CEO - symfony lead developer > sensiolabs.com | symfony-project.com | aide-de-camp.org > Tél: +33 1 40 99 80 80 > > > Frank Stelzer wrote: >> Hi Fabien, >> Only a small report: >> i get a white page on the installation page >> http://www.symfony-project.org/installation >> . >> >> - Frank >> >> Am 03.10.2008 um 22:08 schrieb Fabien Potencier: >> >>> In accordance with our security policy, we are releasing today >>> symfony >>> 1.1.4 to fix a security issue that has been reported by a symfony >>> user >>> earlier today. This post contains the description of the >>> vulnerability >>> and the description of the changes we have made to fix it. The >>> affected >>> symfony versions are all symfony 1.1 releases and the 1.2 branch. >>> >>> Description of the vulnerability >>> -------------------------------- >>> >>> The validation sub-framework allows the developer to embed the user >>> submitted value in the error messages. If you use the submitted >>> value in >>> some of your error messages or if you use the default error messages >>> provided by some built-in validators (see the list below), you are >>> vulnerable because symfony will not escape the value for you. >>> >>> The following built-in validators are affected because they embed >>> the >>> submitted values in some of their default error messages: >>> >>> * sfValidatorDate >>> * sfValidatorFile >>> * sfValidatorInteger >>> * sfValidatorNumber >>> * sfValidatorString >>> * sfValidatorTime >>> >>> Resolution >>> ---------- >>> >>> As of symfony 1.1.4, we have changed the getArguments() method of >>> the >>> sfValidatorError class to escape the error messages. Here is the >>> modified version of this method: >>> >>> [php] >>> public function getArguments($raw = false) >>> { >>> if ($raw) >>> { >>> return $this->arguments; >>> } >>> >>> $arguments = array(); >>> foreach ($this->arguments as $key => $value) >>> { >>> if (is_array($value)) >>> { >>> continue; >>> } >>> >>> $arguments["%$key%"] = htmlspecialchars($value, ENT_QUOTES, >>> sfValidatorBase::getCharset()); >>> } >>> >>> return $arguments; >>> } >>> >>> The fix has been applied to the symfony 1.1 (changeset 11932) and >>> 1.2 >>> (changeset 11933) branches. You can download the patch for symfony >>> 1.1 >>> or symfony 1.2 in the symfony trac. >>> >>> Every symfony user is encouraged to upgrade as soon as possible. >>> >>> -- >>> Fabien Potencier >>> Sensio CEO - symfony lead developer >>> sensiolabs.com | symfony-project.com | aide-de-camp.org >>> Tél: +33 1 40 99 80 80 >>> >>> >> >> >>> >> > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
