Описание
Symfony has an incorrect response from Validator when input ends with \n
Description
It is possible to trick a Validator configured with a regular expression using the $ metacharacters, with an input ending with \n.
Resolution
Symfony now uses the D regex modifier to match the entire input.
The patch for this issue is available here for branch 5.4.
Credits
We would like to thank Offscript for reporting the issue and Alexandre Daubois for providing the fix.
Ссылки
- https://github.com/symfony/symfony/security/advisories/GHSA-g3rh-rrhp-jhh9
- https://nvd.nist.gov/vuln/detail/CVE-2024-50343
- https://github.com/symfony/symfony/commit/7d1032bbead9a4229b32fa6ebca32681c80cb76f
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50343.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/validator/CVE-2024-50343.yaml
- https://symfony.com/cve-2024-50343
Пакеты
symfony/symfony
< 5.4.43
5.4.43
symfony/symfony
>= 6.0.0, < 6.4.11
6.4.11
symfony/symfony
>= 7.0.0, < 7.1.4
7.1.4
symfony/validator
< 5.4.43
5.4.43
symfony/validator
>= 6.0.0, < 6.4.11
6.4.11
symfony/validator
>= 7.0.0, < 7.1.4
7.1.4
Связанные уязвимости
symfony/validator is a module for the Symphony PHP framework which provides tools to validate values. It is possible to trick a `Validator` configured with a regular expression using the `$` metacharacters, with an input ending with `\n`. Symfony as of versions 5.4.43, 6.4.11, and 7.1.4 now uses the `D` regex modifier to match the entire input. Users are advised to upgrade. There are no known workarounds for this vulnerability.
symfony/validator is a module for the Symphony PHP framework which provides tools to validate values. It is possible to trick a `Validator` configured with a regular expression using the `$` metacharacters, with an input ending with `\n`. Symfony as of versions 5.4.43, 6.4.11, and 7.1.4 now uses the `D` regex modifier to match the entire input. Users are advised to upgrade. There are no known workarounds for this vulnerability.
symfony/validator is a module for the Symphony PHP framework which pro ...
Уязвимость компонента validator программной платформы для разработки и управления веб-приложениями Symfony, позволяющая нарушителю получить доступ к конфиденциальным данным
