Описание
Exceptions displayed in non-debug configurations in Symfony
Description
When ErrorHandler renders an exception HTML page, it uses un-escaped properties from the related Exception class to render the stacktrace. The security issue comes from the fact that the stacktraces were also displayed in non-debug environments.
Resolution
The ErrorHandler class now escapes all properties coming from the related Exception, and the stacktrace is not displayed anymore in non-debug environments.
The patches for this issue are available here and here for branch 4.4.
Credits
I would like to thank Luka Sikic for reporting & Yonel Ceruto and Jérémy Derussé for fixing the issue.
Ссылки
- https://github.com/symfony/symfony/security/advisories/GHSA-m884-279h-32v2
- https://nvd.nist.gov/vuln/detail/CVE-2020-5274
- https://github.com/symfony/symfony/commit/629d21b800a15dc649fb0ae9ed7cd9211e7e45db
- https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/error-handler/CVE-2020-5274.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2020-5274.yaml
- https://symfony.com/cve-2020-5274
Пакеты
symfony/error-handler
>= 4.4.0, < 4.4.4
4.4.4
symfony/error-handler
>= 5.0.0, < 5.0.4
5.0.4
symfony/symfony
>= 4.4.0, < 4.4.4
4.4.4
symfony/symfony
>= 5.0.0, < 5.0.4
5.0.4
Связанные уязвимости
In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the stacktrace is only display in debug configuration. This issue is patched in symfony/http-foundation versions 4.4.5 and 5.0.5
In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the stacktrace is only display in debug configuration. This issue is patched in symfony/http-foundation versions 4.4.5 and 5.0.5
In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exc ...