Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Serializer] Unset attributes when creating child context #25340

Merged
merged 1 commit into from Dec 7, 2017
Merged

[Serializer] Unset attributes when creating child context #25340

merged 1 commit into from Dec 7, 2017

Conversation

dunglas
Copy link
Member

@dunglas dunglas commented Dec 5, 2017

Q A
Branch? 3.3
Bug fix? yes
New feature? no
BC breaks? no
Deprecations? no
Tests pass? yes
Fixed tickets n/a
License MIT
Doc PR n/a

In some cases, the attributes key isn't overrode when creating the context passed to nested normalizers.
It's definitely a bug, but an attacker cannot access to non public data (ignored attributes are checked before the attributes key). However some data that must be public may be missing as highlighted by the test.

I've introduced the initial bug here: #18834

@dunglas dunglas added this to the 3.3 milestone Dec 5, 2017
@dunglas
Copy link
Member Author

dunglas commented Dec 6, 2017

failure not related

nicolas-grekas
nicolas-grekas approved these changes Dec 6, 2017
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(but the appveyor failure needs to be investigated)

@fabpot
Copy link
Member

fabpot commented Dec 7, 2017

Thank you @dunglas.

@fabpot fabpot merged commit 4ff9d99 into symfony:3.3 Dec 7, 2017
fabpot added a commit that referenced this pull request Dec 7, 2017
@fabpot
bug #25340 [Serializer] Unset attributes when creating child context …
d7cb006 
…(dunglas)

This PR was merged into the 3.3 branch.

Discussion
----------

[Serializer] Unset attributes when creating child context

 | Q             | A
 | ------------- | ---
 | Branch?       | 3.3
 | Bug fix?      | yes
 | New feature?  | no
 | BC breaks?    | no
 | Deprecations? | no
 | Tests pass?   | yes
 | Fixed tickets | n/a
 | License       | MIT
 | Doc PR        | n/a

In some cases, the `attributes` key isn't overrode when creating the context passed to nested normalizers.
 It's definitely a bug, but an attacker cannot access to non public data (ignored attributes are checked before the `attributes` key). However some data that must be public may be missing as highlighted by the test.

I've introduced the initial bug here: #18834

Commits
-------

4ff9d99 [Serializer] Unset attributes when creating child context
This was referenced Dec 15, 2017
Merged
Merged
@fabpot fabpot mentioned this pull request Jan 5, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot approved these changes

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@ogizanagi ogizanagi ogizanagi approved these changes

Assignees
No one assigned
Labels
Bug Serializer Status: Reviewed
Projects
None yet
Milestone
3.3
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@dunglas @fabpot @nicolas-grekas @ogizanagi @carsonbot