diff --git a/CHANGELOG-2.8.md b/CHANGELOG-2.8.md index 09cee379e3525..aa13e1f9f1b12 100644 --- a/CHANGELOG-2.8.md +++ b/CHANGELOG-2.8.md @@ -7,6 +7,15 @@ in 2.8 minor versions. To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v2.8.0...v2.8.1 +* 2.8.52 (2019-11-13) + + * security #cve-2019-18888 [HttpFoundation] fix guessing mime-types of files with leading dash (nicolas-grekas) + * security #cve-2019-18887 [HttpKernel] Use constant time comparison in UriSigner (stof) + +* 2.8.51 (2019-04-17) + + * no changes + * 2.8.50 (2019-04-17) * security #cve-2019-10910 [DI] Check service IDs are valid (nicolas-grekas) diff --git a/src/Symfony/Component/HttpFoundation/File/MimeType/FileBinaryMimeTypeGuesser.php b/src/Symfony/Component/HttpFoundation/File/MimeType/FileBinaryMimeTypeGuesser.php index 34e015ee5c4f1..a3a3601e90af6 100644 --- a/src/Symfony/Component/HttpFoundation/File/MimeType/FileBinaryMimeTypeGuesser.php +++ b/src/Symfony/Component/HttpFoundation/File/MimeType/FileBinaryMimeTypeGuesser.php @@ -31,7 +31,7 @@ class FileBinaryMimeTypeGuesser implements MimeTypeGuesserInterface * * @param string $cmd The command to run to get the mime type of a file */ - public function __construct($cmd = 'file -b --mime %s 2>/dev/null') + public function __construct($cmd = 'file -b --mime -- %s 2>/dev/null') { $this->cmd = $cmd; } @@ -80,7 +80,7 @@ public function guess($path) ob_start(); // need to use --mime instead of -i. see #6641 - passthru(sprintf($this->cmd, escapeshellarg($path)), $return); + passthru(sprintf($this->cmd, escapeshellarg((0 === strpos($path, '-') ? './' : '').$path)), $return); if ($return > 0) { ob_end_clean(); diff --git a/src/Symfony/Component/HttpFoundation/Tests/File/Fixtures/-test b/src/Symfony/Component/HttpFoundation/Tests/File/Fixtures/-test new file mode 100644 index 0000000000000..b636f4b8df536 Binary files /dev/null and b/src/Symfony/Component/HttpFoundation/Tests/File/Fixtures/-test differ diff --git a/src/Symfony/Component/HttpFoundation/Tests/File/MimeType/MimeTypeTest.php b/src/Symfony/Component/HttpFoundation/Tests/File/MimeType/MimeTypeTest.php index bb88807ab0519..19dfe09d0c7f0 100644 --- a/src/Symfony/Component/HttpFoundation/Tests/File/MimeType/MimeTypeTest.php +++ b/src/Symfony/Component/HttpFoundation/Tests/File/MimeType/MimeTypeTest.php @@ -20,7 +20,18 @@ */ class MimeTypeTest extends TestCase { - protected $path; + public function testGuessWithLeadingDash() + { + $cwd = getcwd(); + chdir(__DIR__.'/../Fixtures'); + try { + $this->assertEquals('image/gif', MimeTypeGuesser::getInstance()->guess('-test')); + chdir($cwd); + } catch(\Exception $e) { + chdir($cwd); + throw $e; + } + } public function testGuessImageWithoutExtension() { diff --git a/src/Symfony/Component/HttpKernel/Kernel.php b/src/Symfony/Component/HttpKernel/Kernel.php index 2e5c99b2353ea..d4207ac9fa963 100644 --- a/src/Symfony/Component/HttpKernel/Kernel.php +++ b/src/Symfony/Component/HttpKernel/Kernel.php @@ -59,11 +59,11 @@ abstract class Kernel implements KernelInterface, TerminableInterface protected $startTime; protected $loadClassCache; - const VERSION = '2.8.51'; - const VERSION_ID = 20851; + const VERSION = '2.8.52'; + const VERSION_ID = 20852; const MAJOR_VERSION = 2; const MINOR_VERSION = 8; - const RELEASE_VERSION = 51; + const RELEASE_VERSION = 52; const EXTRA_VERSION = ''; const END_OF_MAINTENANCE = '11/2018'; diff --git a/src/Symfony/Component/HttpKernel/UriSigner.php b/src/Symfony/Component/HttpKernel/UriSigner.php index 526a9197384a1..66fba97266856 100644 --- a/src/Symfony/Component/HttpKernel/UriSigner.php +++ b/src/Symfony/Component/HttpKernel/UriSigner.php @@ -75,7 +75,7 @@ public function check($uri) $hash = urlencode($params['_hash']); unset($params['_hash']); - return $this->computeHash($this->buildUrl($url, $params)) === $hash; + return hash_equals($this->computeHash($this->buildUrl($url, $params)), $hash); } private function computeHash($uri) diff --git a/src/Symfony/Component/HttpKernel/composer.json b/src/Symfony/Component/HttpKernel/composer.json index e082b2a32dc2b..5526e718f100f 100644 --- a/src/Symfony/Component/HttpKernel/composer.json +++ b/src/Symfony/Component/HttpKernel/composer.json @@ -21,6 +21,7 @@ "symfony/http-foundation": "~2.7.36|~2.8.29|~3.1.6", "symfony/debug": "^2.6.2", "symfony/polyfill-ctype": "~1.8", + "symfony/polyfill-php56": "~1.8", "psr/log": "~1.0" }, "require-dev": {