From 9a50fc572202f0da41b095900eec79fa3694777c Mon Sep 17 00:00:00 2001 From: Christophe Coevoet Date: Fri, 24 May 2019 12:09:27 +0200 Subject: [PATCH 1/5] [HttpKernel] Use constant time comparison in UriSigner --- src/Symfony/Component/HttpKernel/UriSigner.php | 2 +- src/Symfony/Component/HttpKernel/composer.json | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/Symfony/Component/HttpKernel/UriSigner.php b/src/Symfony/Component/HttpKernel/UriSigner.php index 526a9197384a1..66fba97266856 100644 --- a/src/Symfony/Component/HttpKernel/UriSigner.php +++ b/src/Symfony/Component/HttpKernel/UriSigner.php @@ -75,7 +75,7 @@ public function check($uri) $hash = urlencode($params['_hash']); unset($params['_hash']); - return $this->computeHash($this->buildUrl($url, $params)) === $hash; + return hash_equals($this->computeHash($this->buildUrl($url, $params)), $hash); } private function computeHash($uri) diff --git a/src/Symfony/Component/HttpKernel/composer.json b/src/Symfony/Component/HttpKernel/composer.json index e082b2a32dc2b..5526e718f100f 100644 --- a/src/Symfony/Component/HttpKernel/composer.json +++ b/src/Symfony/Component/HttpKernel/composer.json @@ -21,6 +21,7 @@ "symfony/http-foundation": "~2.7.36|~2.8.29|~3.1.6", "symfony/debug": "^2.6.2", "symfony/polyfill-ctype": "~1.8", + "symfony/polyfill-php56": "~1.8", "psr/log": "~1.0" }, "require-dev": { From 2dfc115f6dd56fcc12a6941e8050349cc4d04dbe Mon Sep 17 00:00:00 2001 From: Nicolas Grekas Date: Fri, 19 Apr 2019 14:48:43 +0200 Subject: [PATCH 2/5] [HttpFoundation] fix guessing mime-types of files with leading dash --- .../File/MimeType/FileBinaryMimeTypeGuesser.php | 4 ++-- .../HttpFoundation/Tests/File/Fixtures/-test | Bin 0 -> 35 bytes .../Tests/File/MimeType/MimeTypeTest.php | 13 ++++++++++++- 3 files changed, 14 insertions(+), 3 deletions(-) create mode 100644 src/Symfony/Component/HttpFoundation/Tests/File/Fixtures/-test diff --git a/src/Symfony/Component/HttpFoundation/File/MimeType/FileBinaryMimeTypeGuesser.php b/src/Symfony/Component/HttpFoundation/File/MimeType/FileBinaryMimeTypeGuesser.php index 34e015ee5c4f1..a3a3601e90af6 100644 --- a/src/Symfony/Component/HttpFoundation/File/MimeType/FileBinaryMimeTypeGuesser.php +++ b/src/Symfony/Component/HttpFoundation/File/MimeType/FileBinaryMimeTypeGuesser.php @@ -31,7 +31,7 @@ class FileBinaryMimeTypeGuesser implements MimeTypeGuesserInterface * * @param string $cmd The command to run to get the mime type of a file */ - public function __construct($cmd = 'file -b --mime %s 2>/dev/null') + public function __construct($cmd = 'file -b --mime -- %s 2>/dev/null') { $this->cmd = $cmd; } @@ -80,7 +80,7 @@ public function guess($path) ob_start(); // need to use --mime instead of -i. see #6641 - passthru(sprintf($this->cmd, escapeshellarg($path)), $return); + passthru(sprintf($this->cmd, escapeshellarg((0 === strpos($path, '-') ? './' : '').$path)), $return); if ($return > 0) { ob_end_clean(); diff --git a/src/Symfony/Component/HttpFoundation/Tests/File/Fixtures/-test b/src/Symfony/Component/HttpFoundation/Tests/File/Fixtures/-test new file mode 100644 index 0000000000000000000000000000000000000000..b636f4b8df536b0a85e7cea1a6cf3f0bd3179b96 GIT binary patch literal 35 jcmZ?wbh9u|WMp7uXkcLY4+c66KmZb9U}AD%WUvMRyAlZ1 literal 0 HcmV?d00001 diff --git a/src/Symfony/Component/HttpFoundation/Tests/File/MimeType/MimeTypeTest.php b/src/Symfony/Component/HttpFoundation/Tests/File/MimeType/MimeTypeTest.php index bb88807ab0519..19dfe09d0c7f0 100644 --- a/src/Symfony/Component/HttpFoundation/Tests/File/MimeType/MimeTypeTest.php +++ b/src/Symfony/Component/HttpFoundation/Tests/File/MimeType/MimeTypeTest.php @@ -20,7 +20,18 @@ */ class MimeTypeTest extends TestCase { - protected $path; + public function testGuessWithLeadingDash() + { + $cwd = getcwd(); + chdir(__DIR__.'/../Fixtures'); + try { + $this->assertEquals('image/gif', MimeTypeGuesser::getInstance()->guess('-test')); + chdir($cwd); + } catch(\Exception $e) { + chdir($cwd); + throw $e; + } + } public function testGuessImageWithoutExtension() { From 2d6bf2e689cbaf6500ed21a6ccfd45bcd5f3c931 Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Wed, 13 Nov 2019 09:35:55 +0100 Subject: [PATCH 3/5] Fix CHANGELOG --- CHANGELOG-2.8.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG-2.8.md b/CHANGELOG-2.8.md index 09cee379e3525..66822b4cdd0a6 100644 --- a/CHANGELOG-2.8.md +++ b/CHANGELOG-2.8.md @@ -7,6 +7,10 @@ in 2.8 minor versions. To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v2.8.0...v2.8.1 +* 2.8.51 (2019-04-17) + + * no changes + * 2.8.50 (2019-04-17) * security #cve-2019-10910 [DI] Check service IDs are valid (nicolas-grekas) From be612fe316924132f286db6374c656dbcc564242 Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Wed, 13 Nov 2019 09:36:05 +0100 Subject: [PATCH 4/5] updated CHANGELOG for 2.8.52 --- CHANGELOG-2.8.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG-2.8.md b/CHANGELOG-2.8.md index 66822b4cdd0a6..aa13e1f9f1b12 100644 --- a/CHANGELOG-2.8.md +++ b/CHANGELOG-2.8.md @@ -7,6 +7,11 @@ in 2.8 minor versions. To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v2.8.0...v2.8.1 +* 2.8.52 (2019-11-13) + + * security #cve-2019-18888 [HttpFoundation] fix guessing mime-types of files with leading dash (nicolas-grekas) + * security #cve-2019-18887 [HttpKernel] Use constant time comparison in UriSigner (stof) + * 2.8.51 (2019-04-17) * no changes From 44dbe046a56b1e510b40ab7ecdeb946e7388d709 Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Wed, 13 Nov 2019 09:36:16 +0100 Subject: [PATCH 5/5] updated VERSION for 2.8.52 --- src/Symfony/Component/HttpKernel/Kernel.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/Symfony/Component/HttpKernel/Kernel.php b/src/Symfony/Component/HttpKernel/Kernel.php index 2e5c99b2353ea..d4207ac9fa963 100644 --- a/src/Symfony/Component/HttpKernel/Kernel.php +++ b/src/Symfony/Component/HttpKernel/Kernel.php @@ -59,11 +59,11 @@ abstract class Kernel implements KernelInterface, TerminableInterface protected $startTime; protected $loadClassCache; - const VERSION = '2.8.51'; - const VERSION_ID = 20851; + const VERSION = '2.8.52'; + const VERSION_ID = 20852; const MAJOR_VERSION = 2; const MINOR_VERSION = 8; - const RELEASE_VERSION = 51; + const RELEASE_VERSION = 52; const EXTRA_VERSION = ''; const END_OF_MAINTENANCE = '11/2018';