Versions:

3.1.12

Overview

This security release resolves some XSS and an XML vulnerability in the Framework.

Upgrading

If your code relies on Convert::xml2array there are some important things to consider with regards to certain vulnerabilities. In this release additional options have been added to this method to assist users in guarding against these risks, although each option has been turned off by default.

Please refer to http://phpsecurity.readthedocs.org/en/latest/Injection-Attacks.html#xml-external-entity-injection on details of some of the specific reasons behind the need for these changes and how you can guard against them in your code.

Specifically this method has these two new parameters:

  • The $disableDoctypes parameter has been added to disallow parsing of XML content containing a <!DOCTYPE > header, which may potentially contain unguarded or recursive entity definitions.
  • The $disableExternals parameter allows XML parsing to ignore any externally referenced dependency within the file, ensuring that injected XML is unable to invoke data from potentially hazardous sources.

Security

Bugfixes

  • 2015-03-18 b34c236 Fix joins on tables containing "select" being mistaken for sub-selects Fix PHPDoc on SQLQuery::addFrom and SQLQuery::setFrom Fixes #3965 (Damian Mooyman)
  • 2015-03-11 a61c08d Security::$default_message_set Config value unusable (Loz Calver)
  • 2015-03-10 9651889 Fix yaml generation to conform to version 1.1, accepted by transifex (Damian Mooyman)
  • 2015-02-25 f5f41b2 Ensuring custom CMS validator uses Object->hasMethod() to respect extension decorator pattern. (Patrick Nelson)
  • 2015-01-13 9da7e90 . Missing translation entity (Elvinas L.)

Changelog

Was this article helpful?