GHSA-p9fg-j6ww-953m

Опубликовано: 15 мая 2024

Источник: github

Github: Прошло ревью

Описание

FOSRestBundle issue with broken validation of JSONP callbacks

Starting with FOSRestBundle 1.2 we switched to using willdurand/jsonp-callback-validator for validation of JSONP callbacks. However the change was implemented incorrectly validating the callback query param name, rather than its value. Anyone using the JSONP handler (which is off by default) together with FOSRestBundle 1.2.0 or 1.2.1 should update to FOSRestBundle 1.2.2.

Ссылки

https://github.com/FriendsOfSymfony/FOSRestBundle/commit/3dd7d40068360c23366fb4884c5d194c769ec2c1
https://github.com/FriendsOfPHP/security-advisories/blob/master/friendsofsymfony/rest-bundle/2014-01-22-1.yaml
https://symfony.com/blog/fosrestbundle-security-issue-with-jsonp-handler

Пакеты

Наименование

friendsofsymfony/rest-bundle

composer

Затронутые версииВерсия исправления

>= 1.2.0, < 1.2.2

1.2.2