diff --git a/CHANGELOG-2.8.md b/CHANGELOG-2.8.md
index 09cee379e3525..aa13e1f9f1b12 100644
--- a/CHANGELOG-2.8.md
+++ b/CHANGELOG-2.8.md
@@ -7,6 +7,15 @@ in 2.8 minor versions.
To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash
To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v2.8.0...v2.8.1
+* 2.8.52 (2019-11-13)
+
+ * security #cve-2019-18888 [HttpFoundation] fix guessing mime-types of files with leading dash (nicolas-grekas)
+ * security #cve-2019-18887 [HttpKernel] Use constant time comparison in UriSigner (stof)
+
+* 2.8.51 (2019-04-17)
+
+ * no changes
+
* 2.8.50 (2019-04-17)
* security #cve-2019-10910 [DI] Check service IDs are valid (nicolas-grekas)
diff --git a/src/Symfony/Component/HttpFoundation/File/MimeType/FileBinaryMimeTypeGuesser.php b/src/Symfony/Component/HttpFoundation/File/MimeType/FileBinaryMimeTypeGuesser.php
index 34e015ee5c4f1..a3a3601e90af6 100644
--- a/src/Symfony/Component/HttpFoundation/File/MimeType/FileBinaryMimeTypeGuesser.php
+++ b/src/Symfony/Component/HttpFoundation/File/MimeType/FileBinaryMimeTypeGuesser.php
@@ -31,7 +31,7 @@ class FileBinaryMimeTypeGuesser implements MimeTypeGuesserInterface
*
* @param string $cmd The command to run to get the mime type of a file
*/
- public function __construct($cmd = 'file -b --mime %s 2>/dev/null')
+ public function __construct($cmd = 'file -b --mime -- %s 2>/dev/null')
{
$this->cmd = $cmd;
}
@@ -80,7 +80,7 @@ public function guess($path)
ob_start();
// need to use --mime instead of -i. see #6641
- passthru(sprintf($this->cmd, escapeshellarg($path)), $return);
+ passthru(sprintf($this->cmd, escapeshellarg((0 === strpos($path, '-') ? './' : '').$path)), $return);
if ($return > 0) {
ob_end_clean();
diff --git a/src/Symfony/Component/HttpFoundation/Tests/File/Fixtures/-test b/src/Symfony/Component/HttpFoundation/Tests/File/Fixtures/-test
new file mode 100644
index 0000000000000..b636f4b8df536
Binary files /dev/null and b/src/Symfony/Component/HttpFoundation/Tests/File/Fixtures/-test differ
diff --git a/src/Symfony/Component/HttpFoundation/Tests/File/MimeType/MimeTypeTest.php b/src/Symfony/Component/HttpFoundation/Tests/File/MimeType/MimeTypeTest.php
index bb88807ab0519..19dfe09d0c7f0 100644
--- a/src/Symfony/Component/HttpFoundation/Tests/File/MimeType/MimeTypeTest.php
+++ b/src/Symfony/Component/HttpFoundation/Tests/File/MimeType/MimeTypeTest.php
@@ -20,7 +20,18 @@
*/
class MimeTypeTest extends TestCase
{
- protected $path;
+ public function testGuessWithLeadingDash()
+ {
+ $cwd = getcwd();
+ chdir(__DIR__.'/../Fixtures');
+ try {
+ $this->assertEquals('image/gif', MimeTypeGuesser::getInstance()->guess('-test'));
+ chdir($cwd);
+ } catch(\Exception $e) {
+ chdir($cwd);
+ throw $e;
+ }
+ }
public function testGuessImageWithoutExtension()
{
diff --git a/src/Symfony/Component/HttpKernel/Kernel.php b/src/Symfony/Component/HttpKernel/Kernel.php
index 2e5c99b2353ea..d4207ac9fa963 100644
--- a/src/Symfony/Component/HttpKernel/Kernel.php
+++ b/src/Symfony/Component/HttpKernel/Kernel.php
@@ -59,11 +59,11 @@ abstract class Kernel implements KernelInterface, TerminableInterface
protected $startTime;
protected $loadClassCache;
- const VERSION = '2.8.51';
- const VERSION_ID = 20851;
+ const VERSION = '2.8.52';
+ const VERSION_ID = 20852;
const MAJOR_VERSION = 2;
const MINOR_VERSION = 8;
- const RELEASE_VERSION = 51;
+ const RELEASE_VERSION = 52;
const EXTRA_VERSION = '';
const END_OF_MAINTENANCE = '11/2018';
diff --git a/src/Symfony/Component/HttpKernel/UriSigner.php b/src/Symfony/Component/HttpKernel/UriSigner.php
index 526a9197384a1..66fba97266856 100644
--- a/src/Symfony/Component/HttpKernel/UriSigner.php
+++ b/src/Symfony/Component/HttpKernel/UriSigner.php
@@ -75,7 +75,7 @@ public function check($uri)
$hash = urlencode($params['_hash']);
unset($params['_hash']);
- return $this->computeHash($this->buildUrl($url, $params)) === $hash;
+ return hash_equals($this->computeHash($this->buildUrl($url, $params)), $hash);
}
private function computeHash($uri)
diff --git a/src/Symfony/Component/HttpKernel/composer.json b/src/Symfony/Component/HttpKernel/composer.json
index e082b2a32dc2b..5526e718f100f 100644
--- a/src/Symfony/Component/HttpKernel/composer.json
+++ b/src/Symfony/Component/HttpKernel/composer.json
@@ -21,6 +21,7 @@
"symfony/http-foundation": "~2.7.36|~2.8.29|~3.1.6",
"symfony/debug": "^2.6.2",
"symfony/polyfill-ctype": "~1.8",
+ "symfony/polyfill-php56": "~1.8",
"psr/log": "~1.0"
},
"require-dev": {
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy