Affected versions
Twig versions <3.11.2; >=3.12,<3.14.1 are affected by this security issue.
The issue has been fixed in Twig 3.11.2 and 3.14.1.
Note that Twig versions 1 and 2 are not maintained anymore and are vulnerable.
Description
In a sandbox, an attacker can call __toString() on an object even if the __toString() method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance).
Affected versions
Twig versions <3.11.2; >=3.12,<3.14.1 are affected by this security issue.
The issue has been fixed in Twig 3.11.2 and 3.14.1.
Note that Twig versions 1 and 2 are not maintained anymore and are vulnerable.
Description
In a sandbox, and attacker can access attributes of Array-like objects as they were not checked by the security policy.
They are now checked via the property policy and the __isset() method is now called after the security check.
This is a BC break.
Affected versions
Symfony versions <5.4.46; >=6, <6.4.14; >=7, <7.1.7 of the Symfony Runtime component are affected by this security issue.
The issue has been fixed in Symfony 5.4.46, 6.4.14, and 7.1.7.
Description
When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request.
Affected versions
Symfony versions <5.4.46; >=6, <6.4.14; >=7, <7.1.7 of the Symfony HttpClient component are affected by this security issue.
The issue has been fixed in Symfony 5.4.46, 6.4.14, and 7.1.7.
Description
When using the NoPrivateNetworkHttpClient, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration.
Resolution
The NoPrivateNetworkHttpClient now filters blocked IPs earlier to prevent such leaks.
Affected versions
Symfony versions <5.4.43; >=6, <6.4.11; >=7, <7.1.4 of the Symfony Validator component are affected by this security issue.
The issue has been fixed in Symfony 5.4.43, 6.4.11, and 7.1.4.
Description
It is possible to trick a Validator configured with a regular expression using the $ metacharacters, with an input ending with \n.
Resolution
Symfony now uses the D regex modifier to match the entire input.
Affected versions
Symfony versions <5.4.46; >=6, <6.4.14; >=7, <7.1.7 of the Symfony Process component are affected by this security issue.
The issue has been fixed in Symfony 5.4.46, 6.4.14, and 7.1.7.
Description
On Window, when an executable file named cmd.exe is located in the current working directory it will be called by the Process class when preparing command arguments, leading to possible hijacking.
Resolution
The Process class now uses the absolute path to cmd.exe.
Affected versions
Symfony versions >=6.2, <6.4.10; >=7.0, <7.0.10; >=7.1, <7.1.3 of the Symfony SecurityBundle component are affected by this security issue.
The issue has been fixed in Symfony 6.4.10, 7.0.10, and 7.1.3.
Description
The custom user_checker defined on a firewall is not called when Login Programmaticaly with the Security::login method, leading to unwanted login.
Resolution
The Security::login method now ensure to call the configured user_checker.
Symfony 7.2 includes some DX (developer experience) improvements to make your
work easier in some tasks related to templates.
Symfony provides the translation:extract command to extract all
translatable content from Twig templates and PHP code (e.g. forms):