The quality of our software has always been the most important thing for us. Today we published fixes for two security vulnerabilities found in Sylius/Sylius and Sylius/SyliusResourceBundle.
The original security advisory has been published on GitHub at Sylius/Sylius repository.
This vulnerability gives the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when %kernel.debug% is set to true.
However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is %kernel.debug% will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.
Patch has been provided for Sylius 1.3.x and newer – 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.
Unsupported versions could be patched by adding the following configuration to run in production:
sylius_channel:
debug: false
The original security advisory has been published on GitHub at Sylius/SyliusResourceBundle repository.
ResourceBundle accepts and uses any serialisation groups to be passed via an HTTP header. This might lead to data exposure by using an unintended serialisation group – for example, it could make Shop API use a more permissive group from Admin API.
Anyone exposing an API with ResourceBundle’s controller is affected. The vulnerable versions are: <1.3 || >=1.3.0 <=1.3.12 || >=1.4.0 <=1.4.5 || >=1.5.0 <=1.5.0 || >=1.6.0 <=1.6.2.
The patch is provided for ResourceBundle 1.3.13, 1.4.6, 1.5.1 and 1.6.3, but not for any versions below 1.3.
After it is applied, It allows choosing only the groups that are defined in serialization_groups or allowed_serialization_groups route definition. Any group not defined in those will not be used.
This behaviour might be a BC break for those using custom groups via the HTTP header, please adjust allowed_serialization_groups accordingly.
Service sylius.resource_controller.request_configuration_factory can be overridden with an implementation copied from Sylius\Bundle\ResourceBundle\Controller\RequestConfigurationFactory where the part that handles custom serialisation groups is deleted.
