Browse files

[#2057] Doing another pass on "render" calls to update them to the ne…

…w use of an absolute URL instead of a logical controller name

See http://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released
  • Loading branch information...
1 parent 89617bd commit 26e85cf5d3b865699758eed1936911012756a860 @weaverryan weaverryan committed Dec 24, 2012
Showing with 90 additions and 66 deletions.
  1. +9 −0 book/_security-2012-6431.rst.inc
  2. +22 −22 book/http_cache.rst
  3. +1 −9 book/security.rst
  4. +41 −9 book/templating.rst
  5. +14 −24 quick_tour/the_view.rst
  6. +3 −2 reference/twig_reference.rst
View
9 book/_security-2012-6431.rst.inc
@@ -0,0 +1,9 @@
+.. note::
+
+ Since Symfony 2.0.20/2.1.5, the Twig ``render`` tag now takes an absolute url
+ instead of a controller logical path. This fixes an important security
+ issue (`CVE-2012-6431`_) reported on the official blog. If your application
+ uses an older version of Symfony or still uses the previous ``render`` tag
+ syntax, you should upgrade as soon as possible.
+
+.. _`CVE-2012-6431`: http://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released
View
44 book/http_cache.rst
@@ -882,19 +882,16 @@ matter), Symfony2 uses the standard ``render`` helper to configure ESI tags:
.. code-block:: php
- <?php echo $view['actions']->render('...:news', array('max' => 5), array('standalone' => true)) ?>
+ <?php echo $view['actions']->render(
+ $view['router']->generate('latest_news', array('max' => 5), true),
+ array(),
+ array('standalone' => true)
+ ) ?>
-.. note::
-
- Since Symfony 2.0.20, the Twig ``render`` tag now takes an absolute url
- instead of a controller logical path. This fixes an important security
- issue (`CVE-2012-6431`_) reported on the official blog. If your application
- uses an older version of Symfony or still uses the previous ``render`` tag
- syntax, we highly advise you to upgrade as soon as possible.
+.. include:: /book/_security-2012-6431.rst.inc
-The ``render`` tag takes the absolute url of the embedded action. The latter has
-to be defined somewhere in one of the application's or bundles' routing
-configuration files:
+The ``render`` tag takes the absolute url to the embedded action. This means
+that you need to define a new route to the controller that you're embedding:
.. code-block:: yaml
@@ -904,18 +901,22 @@ configuration files:
defaults: { _controller: AcmeNewsBundle:News:news }
requirements: { max: \d+ }
+.. caution::
+
+ Unless you want this URL to be accessible to the outside world, you
+ should use Symfony's firewall to secure it (by allowing access to your
+ reverse proxy's IP range). See the :ref:`Securing by IP<book-security-securing-ip>`
+ section of the :doc:`Security Chapter </book/security>` for more information
+ on how to do this.
+
.. tip::
- The best practice is to mount all your ESI urls on a single prefix of your
- choice. This has two main advantages. First, it eases the management of
- ESI urls as you can easily identify the routes used to handle ESIs.
- Secondly, it eases security management. Since an ESI route allows an action
- to be accessed via a URL, you might want to protect it by using the Symfony2
- firewall feature (by allowing access to your reverse proxy's IP range).
- Securing all urls starting with the same prefix is easier than securing each
- single url. See the :ref:`Securing by IP<book-security-securing-ip>` section
- of the :doc:`Security Chapter </book/security>` for more information on how
- to do this.
+ The best practice is to mount all your ESI urls on a single prefix (e.g.
+ ``/esi``) of your choice. This has two main advantages. First, it eases
+ the management of ESI urls as you can easily identify the routes used for ESI.
+ Second, it eases security management since securing all urls starting
+ with the same prefix is easier than securing each individual url. See
+ the above note for more details on securing ESI URLs.
By setting ``standalone`` to ``true`` in the ``render`` Twig tag, you tell
Symfony2 that the action should be rendered as an ESI tag. You might be
@@ -1058,4 +1059,3 @@ Learn more from the Cookbook
.. _`P4 - Conditional Requests`: http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-12
.. _`P6 - Caching: Browser and intermediary caches`: http://tools.ietf.org/html/draft-ietf-httpbis-p6-cache-12
.. _`ESI`: http://www.w3.org/TR/esi-lang
-.. _`CVE-2012-6431`: http://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released
View
10 book/security.rst
@@ -781,14 +781,7 @@ given prefix, ``/esi``, from outside access:
.. _book-security-securing-channel:
-.. note::
-
- The Symfony 2.0.20 fixes an important security issue regarding ESI
- routes. In the previous versions of Symfony, ESI URLs where handled by a
- single route call ``_internal`` and defined in the main
- ``app/config/routing.yml`` file. If your application handles ESI with the
- ``_internal`` route, we highly advise you to upgrade your code by following
- the guidelines of the `CVE-2012-6431 security advisory`_.
+.. include:: /book/_security-2012-6431.rst.inc
Securing by Channel
~~~~~~~~~~~~~~~~~~~
@@ -1795,4 +1788,3 @@ Learn more from the Cookbook
.. _`FOSUserBundle`: https://github.com/FriendsOfSymfony/FOSUserBundle
.. _`implement the \Serializable interface`: http://php.net/manual/en/class.serializable.php
.. _`functions-online.com`: http://www.functions-online.com/sha1.html
-.. _`CVE-2012-6431 security advisory`: http://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released
View
50 book/templating.rst
@@ -623,6 +623,42 @@ The ``recentList`` template is perfectly straightforward:
(e.g. ``/article/*slug*``). This is a bad practice. In the next section,
you'll learn how to do this correctly.
+Even though this controller will only be used internally, you'll need to
+create a route that points to the controller:
+
+.. configuration-block::
+
+ .. code-block:: yaml
+
+ latest_articles:
+ pattern: /articles/latest/{max}
+ defaults: { _controller: AcmeArticleBundle:Article:recentArticles }
+
+ .. code-block:: xml
+
+ <?xml version="1.0" encoding="UTF-8" ?>
+
+ <routes xmlns="http://symfony.com/schema/routing"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://symfony.com/schema/routing http://symfony.com/schema/routing/routing-1.0.xsd">
+
+ <route id="latest_articles" pattern="/articles/latest/{max}">
+ <default key="_controller">AcmeArticleBundle:Article:recentArticles</default>
+ </route>
+ </routes>
+
+ .. code-block:: php
+
+ use Symfony\Component\Routing\RouteCollection;
+ use Symfony\Component\Routing\Route;
+
+ $collection = new RouteCollection();
+ $collection->add('latest_articles', new Route('/articles/latest/{max}', array(
+ '_controller' => 'AcmeArticleBundle:Article:recentArticles',
+ )));
+
+ return $collection;
+
To include the controller, you'll need to refer to it using an absolute url:
.. configuration-block::
@@ -642,16 +678,12 @@ To include the controller, you'll need to refer to it using an absolute url:
<!-- ... -->
<div id="sidebar">
- <?php echo $view['actions']->render('AcmeArticleBundle:Article:recentArticles', array('max' => 3)) ?>
+ <?php echo $view['actions']->render(
+ $view['router']->generate('latest_articles', array('max' => 3), true)
+ ) ?>
</div>
-.. note::
-
- Since Symfony 2.0.20, the Twig ``render`` tag now takes an absolute url
- instead of a controller logical path. This fixes an important security
- issue (`CVE-2012-6431`_) reported on the official blog. If your application
- uses an older version of Symfony or still uses the previous ``render`` tag
- syntax, we highly advise you to upgrade as soon as possible.
+.. include:: /book/_security-2012-6431.rst.inc
Whenever you find that you need a variable or a piece of information that
you don't have access to in a template, consider rendering a controller.
@@ -1379,4 +1411,4 @@ Learn more from the Cookbook
.. _`tags`: http://twig.sensiolabs.org/doc/tags/index.html
.. _`filters`: http://twig.sensiolabs.org/doc/filters/index.html
.. _`add your own extensions`: http://twig.sensiolabs.org/doc/advanced.html#creating-an-extension
-.. _`CVE-2012-6431`: http://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released
+
View
38 quick_tour/the_view.rst
@@ -180,24 +180,9 @@ And what if you want to embed the result of another controller in a template?
That's very useful when working with Ajax, or when the embedded template needs
some variable not available in the main template.
-Suppose you've created a ``fancy`` action, and you want to include it inside
-the ``index`` template. To do this, use the ``render`` tag:
-
-.. code-block:: jinja
-
- {# src/Acme/DemoBundle/Resources/views/Demo/index.html.twig #}
- {% render url('fancy', { 'name': name, 'color': 'green'}) %}
-
-.. note::
-
- Since Symfony 2.0.20, the Twig ``render`` tag now takes an absolute url
- instead of a controller logical path. This fixes an important security
- issue (`CVE-2012-6431`_) reported on the official blog. If your application
- uses an older version of Symfony or still uses the previous ``render`` tag
- syntax, we highly advise you to upgrade as soon as possible.
-
-Here, the ``render`` tag takes the url of the ``fancy`` route. This route has to
-be defined in one of your application's routing configuration files.
+Suppose you've created a ``fancyAction`` controller method, and you want to "render"
+it inside the ``index`` template. First, create a route to your new controller
+in one of your application's routing configuration files.
.. configuration-block::
@@ -234,12 +219,18 @@ be defined in one of your application's routing configuration files.
return $collection;
+To include the result (e.g. ``HTML``) of the controller, use the ``render`` tag:
+
+.. code-block:: jinja
+
+ {# src/Acme/DemoBundle/Resources/views/Demo/index.html.twig #}
+ {% render url('fancy', { 'name': name, 'color': 'green'}) %}
+
+.. include:: /book/_security-2012-6431.rst.inc
-The ``fancy`` route maps the ``/included/fancy/{name}/{color}`` pattern to a
-``fancyAction`` method in the ``DemoController`` class of an ``AcmeDemoBundle``
-bundle. The arguments (``name`` and ``color``) act like simulated request
-variables (as if the ``fancyAction`` were handling a whole new request) and are
-made available to the controller::
+The ``render`` tag will execute the ``AcmeDemoBundle:Demo:fancy`` controller
+and include its result. For example, your new ``fancyAction`` might look
+like this::
// src/Acme/DemoBundle/Controller/DemoController.php
@@ -339,4 +330,3 @@ Ready for another 10 minutes with Symfony2?
.. _Twig: http://twig.sensiolabs.org/
.. _documentation: http://twig.sensiolabs.org/documentation
-.. _`CVE-2012-6431`: http://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released
View
5 reference/twig_reference.rst
@@ -101,8 +101,9 @@ Tags
+---------------------------------------------------+-------------------------------------------------------------------+
| Tag Syntax | Usage |
+===================================================+===================================================================+
-| ``{% render url('route', {parameters}) %}`` | This will render the Response Content for the given controller, |
-| | more information in :ref:`templating-embedding-controller`. |
+| ``{% render url('route', {parameters}) %}`` | This will render the Response Content for the given controller |
@wouterj
Symfony member
wouterj added a line comment Dec 24, 2012

I order to use the variable names to support the comming named parameters feature in Twig the 'route' should be replaced with name.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+| | that the URL points to. For more information, |
+| | see :ref:`templating-embedding-controller`. |
+---------------------------------------------------+-------------------------------------------------------------------+
| ``{% form_theme form 'file' %}`` | This will look inside the given file for overridden form blocks, |
| | more information in :doc:`/cookbook/form/form_customization`. |

0 comments on commit 26e85cf

Please sign in to comment.