Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[WebProfilerExtension] Fixes escaping for a safe output with multiple roles#21385

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Closed
linaori wants to merge1 commit intosymfony:3.2fromlinaori:fix/role-wdt
Closed

Conversation

@linaori
Copy link
Contributor

QA
Branch?3.2
Bug fix?yes
New feature?no
BC breaks?no
Deprecations?no
Tests pass?yes
Fixed tickets#21384
LicenseMIT
Doc PR~

This fixes the issue reported about escaping the the roles if multiple are shown. I don't think this should be filtered by twig as this was not present in the old version in 3.1. /cc@wouterj

{
$profilerDump =function (\Twig_Environment$env,$value,$maxDepth =0) {
return$valueinstanceof Data ?$this->dumpData($env,$value,$maxDepth) :twig_escape_filter($env,$this->dumpValue($value));
return$valueinstanceof Data ?$this->dumpData($env,$value,$maxDepth) :$this->dumpValue($value);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

this is wrong. The ValueExporter does not provide safe output (it does not handle escaping)

@stof
Copy link
Member

Btw, dumpValue is deprecated. So if the security panel really uses this code path, we should upgrade it.

@linaori
Copy link
ContributorAuthor

Well, this was the old behavior and that worked (regardless of safe), which broke in 3.2. I indeed noticed the deprecation. Is theData what's supposed to be fed to theprofiler_dump function in twig via the Collectors?

I don't see any concrete implementations of this yet, can you point me at one or do you have an idea how this should be fixed in a generic way? To me it looks like all the DataCollectors have to be updated.

@stof
Copy link
Member

Well, we need to figure out where the double-escaping takes place exactly. But removing this one looks wrong to me. The ValueExporter isnot escaping, meaning that this escaping cannot be removed (otherwise the output of the function is not safe anymore, thus lying to Twig and potentially opening XSS holes)

@stof
Copy link
Member

I just identifier the real source of the bug, so I'm closing this PR and will open one with the real fix

linaori reacted with thumbs up emoji

@stofstof closed thisJan 24, 2017
@linaorilinaori deleted the fix/role-wdt branchJanuary 24, 2017 09:19
@stof
Copy link
Member

see#21387 for the real fix (and the explanation of the bug)

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@stofstofstof left review comments

Assignees

No one assigned

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@linaori@stof@carsonbot
[8]ページ先頭
©2009-2025 Movatter.jp