Skip to content

Commit

Permalink
Merge pull request from GHSA-p4pj-9g59-4ppv
Browse files Browse the repository at this point in the history 
Sanitize request input before passing it to expression language evaluator
  • Loading branch information
@pamil
pamil committed Aug 18, 2020
2 parents 73d9aba + 11e00c3 commit 73ed8b8
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/Bundle/Controller/ParametersParser.php
View file
Expand Up @@ -80,7 +80,7 @@ private function parseRequestValueExpression(string $expression, Request $reques
));
}

return is_string($variable) ? sprintf('"%s"', $variable) : $variable;
return is_string($variable) ? sprintf('"%s"', addslashes($variable)) : $variable;
}, $expression);

return $this->expression->evaluate($expression, ['container' => $this->container]);
Expand Down

0 comments on commit 73ed8b8

Please sign in to comment.