Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[HttpKernel] Don't use eval() to render ESI/SSI#50013

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
fabpot merged 1 commit intosymfony:6.3fromnicolas-grekas:hk-no-eval
Apr 17, 2023

Conversation

@nicolas-grekas
Copy link
Member

QA
Branch?6.3
Bug fix?no
New feature?no
Deprecations?no
Tickets-
LicenseMIT
Doc PR-

Yes, this would not be needed if people were able to use a realkernel.secret. But apparently, many fail.
And it looks like we can do something about it, so let's makes this impossible to exploit :)

@nicolas-grekasnicolas-grekasforce-pushed thehk-no-eval branch 5 times, most recently from952c300 to44269c3CompareApril 14, 2023 09:35
@fabpot
Copy link
Member

Thank you@nicolas-grekas.

@fabpotfabpot merged commit3712d2e intosymfony:6.3Apr 17, 2023
@nicolas-grekasnicolas-grekas deleted the hk-no-eval branchApril 19, 2023 09:57
@fritzmg
Copy link
Contributor

Yes, this would not be needed if people were able to use a real kernel.secret. But apparently, many fail.

imho the issue is that it is not actually mandatory at all. Even theUriSigner allows an empty secret and in theConfiguration tree of theFrameworkBundle,framework.secret is allowed to be anything. Currently onlysymfony/flex will automatically generate anAPP_SECRET for you when you first set up the project. But that does not help if you either do not setup your project viasymfony/flex or when you deploy the website to the live environment.

In any case, will this change also be back ported to Symfony 5.4?

Ainschy reacted with thumbs up emoji

@alexislefebvre
Copy link
Contributor

@fritzmg I can't find the relevant page in the doc but backports are not applied in the Symfony ecosystem. This new way to render is a feature, it can't land on a previous release.

@fritzmg
Copy link
Contributor

But it's a security issue that arbitrary code can be executed via the_fragment controller.

alexislefebvre reacted with thumbs up emoji

@alexislefebvre
Copy link
Contributor

Fair enough, does it require a CVE issue? 😬

@nicolas-grekas
Copy link
MemberAuthor

nicolas-grekas commentedMay 4, 2023
edited
Loading

There is no security issue when one sets the secret as documented.

@fabpot
Copy link
Member

Let's merge the fix in 5.4 and 6.2 as well.

fritzmg, bytehead, and m-vo reacted with thumbs up emoji

@nicolas-grekas
Copy link
MemberAuthor

See#50238

fabpot added a commit that referenced this pull requestMay 5, 2023
…rekas)This PR was merged into the 5.4 branch.Discussion----------[HttpKernel] Don't use eval() to render ESI/SSI| Q             | A| ------------- | ---| Branch?       | 5.4| Bug fix?      | yes| New feature?  | no| Deprecations? | no| Tickets       | -| License       | MIT| Doc PR        | -Because this might be an important security hardening, this PR is a backport of#50013 for 5.4.Commits-------ea449ca [HttpKernel] Don't use eval() to render ESI/SSI
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@stofstofstof left review comments

@fabpotfabpotfabpot approved these changes

Assignees

No one assigned

Projects

None yet

Milestone

6.3

Development

Successfully merging this pull request may close these issues.

6 participants

@nicolas-grekas@fabpot@fritzmg@alexislefebvre@stof@carsonbot
[8]ページ先頭
©2009-2025 Movatter.jp