Hi,
I am currently conducting a technical review of a web application that was developed by a third party. The used symfony framework. Are there any known issues that I should visit first? E.g. any security holes.
Thanks in advance for help.
Mark
+5
A:
I've used the symfony framework for many apps and the framework itself is pretty secure by default.
One thing you might want to check (it's not really a security issue though) is that the developer replaces the default error pages, I'm not talking about the 404's or anything like that but when symfony crashes hard it will automatically go to a symfony error page.
You also might want to check the security.yml files to make sure that all the modules that require authentication are set to is_secure: on.
Also I think in the settings.yml there is an option to set the framework to automatically escape evil characters to avoid XSS. You should check that things are being escaped. I believe it is on by default in 1.2.
Maybe you could also check to see if the developer used any strange plugins. Some plugins are not created by the developers of symfony and they can't really guarantee the quality of the code used in them.
Check out the Symfony Deployment Cheat Sheet. It has a great checklist to go through to make sure your app is ready for deployment.
I can't really think of anything else at the moment. If symfony 1.2 is used you should not have to worry much about the framework itself being an issue. IMHO.
Peter D
2009-11-25 15:26:37
That's fantastic! Very useful info.. thanks for your help.
Mark Blades
2009-11-25 17:34:25
I've noticed that the uploads are stored in the webroot - since this is common for symfony apps I'm assuming this is safe. It however conflicts with my existing knowledge that uploads should be stored behind webroot. Any comments?
Mark Blades
2009-11-26 12:57:10
This should not pose a problem due to symfonys routing tables. If a user types in the path to the uploads, the path itself will first be parsed through the routing table. If a route for that path is not found a default route is chosen. The uploads folder should remain safe.
Peter D
2009-11-26 13:41:18
Mark, uploaded files are stored in webroot to allow further access to them. If you do not like this behavior, you are always free to alter it in one shot, by (easiest and most common — but not only — way) setting `path` option to sfValidatorFile to directory placed outside of webroot.
develop7
2009-12-04 13:30:43
A:
Symfony has a very strong developer community so identified security vulnerabilities are usually fixed pretty quickly.
Provided that you chose a version of the framework that is supported, any security holes are likely to be fixed speedily.
The versions are listed here: http://www.symfony-project.org/installation
Jon Winstanley
2009-11-25 15:28:04
That's great, I'll check these out - the version being used is 1.0 but I'm not sure how up to date it is with patches.
Mark Blades
2009-11-25 17:35:09
1.0 is still supported so once you are familiar with the framework update it to 1.0.21 - or whatever is the most recent update at the time.
Jon Winstanley
2009-11-26 07:57:24