Skip to content

Fix Exception message escaping rendered by ErrorHandler

Moderate
nicolas-grekas published GHSA-m884-279h-32v2 Mar 30, 2020

Package

composer symfony/http-foundation (Composer)

Affected versions

>=4.4.0, <4.4.4 || >=5.0.0, <5.0.4

Patched versions

4.4.4, 5.0.4

Description

Description

When ErrorHandler renders an exception HTML page, it uses un-escaped properties from the related Exception class to render the stacktrace. The security issue comes from the fact that the stacktraces were also displayed in non-debug environments.

Resolution

The ErrorHandler class now escapes all properties coming from the related Exception, and the stacktrace is not displayed anymore in non-debug environments.

The patches for this issue are available here and here for branch 4.4.

Credits

I would like to thank Luka Sikic for reporting & Yonel Ceruto and Jérémy Derussé for fixing the issue.

Severity

Moderate

CVE ID

CVE-2020-5274

Weaknesses

No CWEs

Credits