Affected versions
Symfony versions <5.4.46; >=6, <6.4.14; >=7, <7.1.7 of the Symfony Runtime component are affected by this security issue.
The issue has been fixed in Symfony 5.4.46, 6.4.14, and 7.1.7.
Description
When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request.
Affected versions
Symfony versions <5.4.46; >=6, <6.4.14; >=7, <7.1.7 of the Symfony HttpClient component are affected by this security issue.
The issue has been fixed in Symfony 5.4.46, 6.4.14, and 7.1.7.
Description
When using the NoPrivateNetworkHttpClient, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration.
Resolution
The NoPrivateNetworkHttpClient now filters blocked IPs earlier to prevent such leaks.
Affected versions
Symfony versions <5.4.43; >=6, <6.4.11; >=7, <7.1.4 of the Symfony Validator component are affected by this security issue.
The issue has been fixed in Symfony 5.4.43, 6.4.11, and 7.1.4.
Description
It is possible to trick a Validator configured with a regular expression using the $ metacharacters, with an input ending with \n.
Resolution
Symfony now uses the D regex modifier to match the entire input.
Affected versions
Symfony versions <5.4.46; >=6, <6.4.14; >=7, <7.1.7 of the Symfony Process component are affected by this security issue.
The issue has been fixed in Symfony 5.4.46, 6.4.14, and 7.1.7.
Description
On Window, when an executable file named cmd.exe is located in the current working directory it will be called by the Process class when preparing command arguments, leading to possible hijacking.
Resolution
The Process class now uses the absolute path to cmd.exe.
Affected versions
Symfony versions >=6.2, <6.4.10; >=7.0, <7.0.10; >=7.1, <7.1.3 of the Symfony SecurityBundle component are affected by this security issue.
The issue has been fixed in Symfony 6.4.10, 7.0.10, and 7.1.3.
Description
The custom user_checker defined on a firewall is not called when Login Programmaticaly with the Security::login method, leading to unwanted login.
Resolution
The Security::login method now ensure to call the configured user_checker.
Symfony 7.2 includes some DX (developer experience) improvements to make your
work easier in some tasks related to templates.
Symfony provides the translation:extract command to extract all
translatable content from Twig templates and PHP code (e.g. forms):
Symfony 7.2.0-BETA1 has just been released.
Here is the list of the most important changes since 7.1:
Symfony 7.1.6 has just been released.
Here is the list of the most important changes since 7.1.5: