Symfony 2.3.17, 2.4.7, and 2.5.2 have just been released; they contain a security fix for the Translator class provided by FrameworkBundle (CVE-2014-4931).
Note
The Symfony versions released today also contain a server-side mitigation for a JSONP vulnerability as described in CVE-2014-4671. You can learn more about this at Abusing JSONP with Rosetta Flash. Also, if you are using NelmioSecurityBundle, disable the content type sniffing for script resources.
Affected versions¶
All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the FrameworkBundle coming from the Symfony full-stack framework are affected by this issue. The translator component by itself is not vulnerable.
Note
We do not provide new versions of Symfony 2.0, 2.1, and 2.2 anymore as they reached their end of life; if you really need to patch those versions, use the patch for Symfony 2.3.)
Description¶
When investigating issue #11093, Jeremy Derussé found a serious code injection issue in the way Symfony implements translation caching in FrameworkBundle.
When a URL depends on the locale, the route looks like /demo/{_locale}/. A
best practice is to add a requirement to check that the _locale argument is
actually a locale that you support. But if that's not the case, your
application is vulnerable because the _locale argument (coming from the end
user) is used in the translation cache template defined by FrameworkBundle
without any sanitization.
Note
If you are only using the Translator component, you are not affected.
Resolution¶
This patch solves the issue by rejecting locales that contain characters outside the range of valid ones for locales. Symfony does not validate the locale as someone can create any locale name if he wants to. So, this patch makes everything secure without breaking BC (except if the developer uses a locale with "strange" characters, but I doubt it's that widespread.)
You need to upgrade Symfony to its latest version, according to the branch you are using for your project, or you can apply the following patche:https://github.com/symfony/symfony/commit/06a80fbdbe744ad6f3010479ba64ef5cf35dd 9af.patch
Credits¶
I would like to thank Jeremy Derussé for reporting this security issue and for providing a patch.
Tip
To be notified about important Symfony dates, consider subscribing to theroadmap notifications.
Tip
You can check if your project is up-to-date with the latest security patches by using the SensioLabs Security Advisories Checker, or by using SensioLabsInsight.