[HttpKernel] Don't use eval() to render ESI/SSI #50013
Conversation
711c6ec to
0464c44
Compare
952c300 to
44269c3
Compare
44269c3 to
6c1f39a
Compare
|
Thank you @nicolas-grekas. |
imho the issue is that it is not actually mandatory at all. Even the In any case, will this change also be back ported to Symfony 5.4? |
|
@fritzmg I can't find the relevant page in the doc but backports are not applied in the Symfony ecosystem. This new way to render is a feature, it can't land on a previous release. |
|
But it's a security issue that arbitrary code can be executed via the |
|
Fair enough, does it require a CVE issue? 😬 |
|
There is no security issue when one sets the secret as documented. |
|
Let's merge the fix in 5.4 and 6.2 as well. |
|
See #50238 |
…rekas) This PR was merged into the 5.4 branch. Discussion ---------- [HttpKernel] Don't use eval() to render ESI/SSI | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | - Because this might be an important security hardening, this PR is a backport of #50013 for 5.4. Commits ------- ea449ca [HttpKernel] Don't use eval() to render ESI/SSI
Yes, this would not be needed if people were able to use a real
kernel.secret. But apparently, many fail.And it looks like we can do something about it, so let's makes this impossible to exploit :)