From 9a50fc572202f0da41b095900eec79fa3694777c Mon Sep 17 00:00:00 2001 From: Christophe Coevoet Date: Fri, 24 May 2019 12:09:27 +0200 Subject: [PATCH 1/5] [HttpKernel] Use constant time comparison in UriSigner --- src/Symfony/Component/HttpKernel/UriSigner.php | 2 +- src/Symfony/Component/HttpKernel/composer.json | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/Symfony/Component/HttpKernel/UriSigner.php b/src/Symfony/Component/HttpKernel/UriSigner.php index 526a9197384a1..66fba97266856 100644 --- a/src/Symfony/Component/HttpKernel/UriSigner.php +++ b/src/Symfony/Component/HttpKernel/UriSigner.php @@ -75,7 +75,7 @@ public function check($uri) $hash = urlencode($params['_hash']); unset($params['_hash']); - return $this->computeHash($this->buildUrl($url, $params)) === $hash; + return hash_equals($this->computeHash($this->buildUrl($url, $params)), $hash); } private function computeHash($uri) diff --git a/src/Symfony/Component/HttpKernel/composer.json b/src/Symfony/Component/HttpKernel/composer.json index e082b2a32dc2b..5526e718f100f 100644 --- a/src/Symfony/Component/HttpKernel/composer.json +++ b/src/Symfony/Component/HttpKernel/composer.json @@ -21,6 +21,7 @@ "symfony/http-foundation": "~2.7.36|~2.8.29|~3.1.6", "symfony/debug": "^2.6.2", "symfony/polyfill-ctype": "~1.8", + "symfony/polyfill-php56": "~1.8", "psr/log": "~1.0" }, "require-dev": { From 2dfc115f6dd56fcc12a6941e8050349cc4d04dbe Mon Sep 17 00:00:00 2001 From: Nicolas Grekas Date: Fri, 19 Apr 2019 14:48:43 +0200 Subject: [PATCH 2/5] [HttpFoundation] fix guessing mime-types of files with leading dash --- .../File/MimeType/FileBinaryMimeTypeGuesser.php | 4 ++-- .../HttpFoundation/Tests/File/Fixtures/-test | Bin 0 -> 35 bytes .../Tests/File/MimeType/MimeTypeTest.php | 13 ++++++++++++- 3 files changed, 14 insertions(+), 3 deletions(-) create mode 100644 src/Symfony/Component/HttpFoundation/Tests/File/Fixtures/-test diff --git a/src/Symfony/Component/HttpFoundation/File/MimeType/FileBinaryMimeTypeGuesser.php b/src/Symfony/Component/HttpFoundation/File/MimeType/FileBinaryMimeTypeGuesser.php index 34e015ee5c4f1..a3a3601e90af6 100644 --- a/src/Symfony/Component/HttpFoundation/File/MimeType/FileBinaryMimeTypeGuesser.php +++ b/src/Symfony/Component/HttpFoundation/File/MimeType/FileBinaryMimeTypeGuesser.php @@ -31,7 +31,7 @@ class FileBinaryMimeTypeGuesser implements MimeTypeGuesserInterface * * @param string $cmd The command to run to get the mime type of a file */ - public function __construct($cmd = 'file -b --mime %s 2>/dev/null') + public function __construct($cmd = 'file -b --mime -- %s 2>/dev/null') { $this->cmd = $cmd; } @@ -80,7 +80,7 @@ public function guess($path) ob_start(); // need to use --mime instead of -i. see #6641 - passthru(sprintf($this->cmd, escapeshellarg($path)), $return); + passthru(sprintf($this->cmd, escapeshellarg((0 === strpos($path, '-') ? './' : '').$path)), $return); if ($return > 0) { ob_end_clean(); diff --git a/src/Symfony/Component/HttpFoundation/Tests/File/Fixtures/-test b/src/Symfony/Component/HttpFoundation/Tests/File/Fixtures/-test new file mode 100644 index 0000000000000000000000000000000000000000..b636f4b8df536b0a85e7cea1a6cf3f0bd3179b96 GIT binary patch literal 35 jcmZ?wbh9u|WMp7uXkcLY4+c66KmZb9U}AD%WUvMRyAlZ1 literal 0 HcmV?d00001 diff --git a/src/Symfony/Component/HttpFoundation/Tests/File/MimeType/MimeTypeTest.php b/src/Symfony/Component/HttpFoundation/Tests/File/MimeType/MimeTypeTest.php index bb88807ab0519..19dfe09d0c7f0 100644 --- a/src/Symfony/Component/HttpFoundation/Tests/File/MimeType/MimeTypeTest.php +++ b/src/Symfony/Component/HttpFoundation/Tests/File/MimeType/MimeTypeTest.php @@ -20,7 +20,18 @@ */ class MimeTypeTest extends TestCase { - protected $path; + public function testGuessWithLeadingDash() + { + $cwd = getcwd(); + chdir(__DIR__.'/../Fixtures'); + try { + $this->assertEquals('image/gif', MimeTypeGuesser::getInstance()->guess('-test')); + chdir($cwd); + } catch(\Exception $e) { + chdir($cwd); + throw $e; + } + } public function testGuessImageWithoutExtension() { From 2d6bf2e689cbaf6500ed21a6ccfd45bcd5f3c931 Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Wed, 13 Nov 2019 09:35:55 +0100 Subject: [PATCH 3/5] Fix CHANGELOG --- CHANGELOG-2.8.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG-2.8.md b/CHANGELOG-2.8.md index 09cee379e3525..66822b4cdd0a6 100644 --- a/CHANGELOG-2.8.md +++ b/CHANGELOG-2.8.md @@ -7,6 +7,10 @@ in 2.8 minor versions. To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v2.8.0...v2.8.1 +* 2.8.51 (2019-04-17) + + * no changes + * 2.8.50 (2019-04-17) * security #cve-2019-10910 [DI] Check service IDs are valid (nicolas-grekas) From be612fe316924132f286db6374c656dbcc564242 Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Wed, 13 Nov 2019 09:36:05 +0100 Subject: [PATCH 4/5] updated CHANGELOG for 2.8.52 --- CHANGELOG-2.8.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG-2.8.md b/CHANGELOG-2.8.md index 66822b4cdd0a6..aa13e1f9f1b12 100644 --- a/CHANGELOG-2.8.md +++ b/CHANGELOG-2.8.md @@ -7,6 +7,11 @@ in 2.8 minor versions. To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v2.8.0...v2.8.1 +* 2.8.52 (2019-11-13) + + * security #cve-2019-18888 [HttpFoundation] fix guessing mime-types of files with leading dash (nicolas-grekas) + * security #cve-2019-18887 [HttpKernel] Use constant time comparison in UriSigner (stof) + * 2.8.51 (2019-04-17) * no changes From 44dbe046a56b1e510b40ab7ecdeb946e7388d709 Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Wed, 13 Nov 2019 09:36:16 +0100 Subject: [PATCH 5/5] updated VERSION for 2.8.52 --- src/Symfony/Component/HttpKernel/Kernel.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/Symfony/Component/HttpKernel/Kernel.php b/src/Symfony/Component/HttpKernel/Kernel.php index 2e5c99b2353ea..d4207ac9fa963 100644 --- a/src/Symfony/Component/HttpKernel/Kernel.php +++ b/src/Symfony/Component/HttpKernel/Kernel.php @@ -59,11 +59,11 @@ abstract class Kernel implements KernelInterface, TerminableInterface protected $startTime; protected $loadClassCache; - const VERSION = '2.8.51'; - const VERSION_ID = 20851; + const VERSION = '2.8.52'; + const VERSION_ID = 20852; const MAJOR_VERSION = 2; const MINOR_VERSION = 8; - const RELEASE_VERSION = 51; + const RELEASE_VERSION = 52; const EXTRA_VERSION = ''; const END_OF_MAINTENANCE = '11/2018'; pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy