Security Issue - Symfony 2.0.11

The just released Symfony 2.0.11 contains a security vulnerability fix for the Serializer Component. We highly recommend you to upgrade your Serializer component as soon as possible to avoid difficulties.

Sense of Security has reported about the security vulnerability this morning.

“The XMLEncoder component of symphony 2.0.x fails to disable entities when parsing XML. In the Symfony2 framework the XML class may be used to deserialize objects or as part of a client/server API. By using external entities it is possible to include arbitrary files from the file system.”

Here is a probable exploit example:

$serializer = new Serializer(array(), array(
'xml' => new \Symfony\Component\Serializer\Encoder\XmlEncoder()
));

$x = $serializer->decode('br /> [ "php://filter/read=convert.base64-encode/resource=/etc/passwd">]>&test;',
'xml');

var_dump($x);

From this example, $x will now include a copy of /etx/passwd in base64 encoded form.

Luckily, the vulnerability has been fixed today by Jordi Boggiano. The Symfony 2.0.11 will be released tonight to guarantee an easy upgrade path for everyone. If you have problems with upgrading 2.0.11 version, please, use at least the appropriate patch as soon as possible.

Some other small bug fixes were also included in the 2.0.11 release. As always, The CHANGELOG can provide you with all details about the occurred changes which were discussed in this release. They are also available at the full diff.

For a new project, please, get the Symfony Standard Edition on the official site.

If your project is already based on Symfony Standard Edition 2.0.x just upgrade it to 2.0.11 getting new deps and deps.lock files.

Afterwards

, run third-party script (it empties your cache as well):

$ ./bin/vendors install

Don’t forget that the Symphony2 Components are also at hand as standalone libraries. You can either get them via their dedicated read-only repositories on Github or install them via Composer.