8000 [Debug] Missing escape in debug output by c960657 · Pull Request #23684 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

[Debug] Missing escape in debug output #23684

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 26, 2017
Merged

[Debug] Missing escape in debug output #23684

merged 1 commit into from
Jul 26, 2017

Conversation

c960657
Copy link
Contributor
@c960657 c960657 commented Jul 26, 2017
Q A
Branch? 2.7
Bug fix? yes
New feature? no
BC breaks? no
Deprecations? no
Tests pass? yes
Fixed tickets
License MIT
Doc PR

When pretty-printing an exception, the debug handler does not properly escape array keys.

The problem only occurs when debug output is enabled, so this is not considered a security issue (according to @fabpot), because the debug tools should not be used in production.

A test for this is included in my patch for #18722.

@c960657 c960657 changed the title [Debug] XSS in debug output [Debug] Missing escape in debug output Jul 26, 2017
@c960657 c960657 changed the base branch from master to 2.7 July 26, 2017 13:49
@c960657 c960657 force-pushed the debug-xss branch 3 times, most recently from bc57262 to 1ebbabd Compare July 26, 2017 14:00
@nicolas-grekas
Copy link
Member

can you rebase to remove the merge commit please?

@nicolas-grekas nicolas-grekas added this to the 2.7 milestone Jul 26, 2017
@c960657 c960657 force-pushed the debug-xss branch 2 times, most recently from f38195d to 2150029 Compare July 26, 2017 14:59
@c960657
Copy link
Contributor Author
c960657 commented Jul 26, 2017

Done.

@nicolas-grekas
Copy link
Member

Thank you @c960657.

@nicolas-grekas nicolas-grekas merged commit 636777d into symfony:2.7 Jul 26, 2017
nicolas-grekas added a commit that referenced this pull request Jul 26, 2017
@nicolas-grekas
bug #23684 [Debug] Missing escape in debug output (c960657)
50b5696 
This PR was merged into the 2.7 branch.

Discussion
----------

[Debug] Missing escape in debug output

| Q             | A
| ------------- | ---
| Branch?       | 2.7
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets |
| License       | MIT
| Doc PR        |

When pretty-printing an exception, the debug handler does not properly escape array keys.

The problem only occurs when debug output is enabled, so this is not considered a [security issue](http://symfony.com/doc/current/contributing/code/security.html) (according to @fabpot), because the debug tools [should not be used in production](https://symfony.com/doc/current/components/debug.html#usage).

A test for this is included in my patch for #18722.

Commits
-------

636777d [Debug] HTML-escape array key
@c960657 c960657 deleted the debug-xss branch July 27, 2017 07:08
This was referenced Aug 1, 2017
Merged
Merged
Merged
Merged
This was referenced Jul 19, 2018
Closed
Closed
@lyrixx lyrixx mentioned this pull request Jul 19, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

Assignees
No one assigned
Labels
Bug Debug Status: Needs Review
Projects
None yet
Milestone
2.7
Development

Successfully merging this pull request may close these issues.
3 participants
@c960657 @nicolas-grekas @carsonbot
0