Skip to content

Fix Exception message escaping rendered by ErrorHandler

nicolas-grekas published GHSA-m884-279h-32v2 Mar 30, 2020
Severity
moderate
Packages
symfony/http-foundation (composer)
Affected versions
>=4.4.0, <4.4.4 || >=5.0.0, <5.0.4
Patched versions
4.4.4, 5.0.4
CVE identifier
CVE-2020-5274

Description

When ErrorHandler renders an exception HTML page, it uses un-escaped properties from the related Exception class to render the stacktrace. The security issue comes from the fact that the stacktraces were also displayed in non-debug environments.

Resolution

The ErrorHandler class now escapes all properties coming from the related Exception, and the stacktrace is not displayed anymore in non-debug environments.

The patches for this issue are available here and here for branch 4.4.

Credits

I would like to thank Luka Sikic for reporting & Yonel Ceruto and Jérémy Derussé for fixing the issue.

You can’t perform that action at this time.