susceptibility to directory transversal attacks?
jrobeson opened this issue · 5 comments
is there any way when simply accepting everything for a route path that it could lead to a directory transversal out of tree? or do the underlying symfony methods already protect against it?
note that in symfony cookbook it suggest that you use .+ over *
http://symfony.com/doc/current/cookbook/routing/slash_in_parameter.html
I will have a look at the directory traversal thing.
Regarding .+
vs .*
: I have to re-check, there is a project where I needed the option to have an empty name for some reason. I think it depends on the use case.
i don't think we can really suggest that users ever use either of those. We need something better.
We could easily provide a ready-to-use routing.yml pointing to the base controller. In combination with the controller configuration you provided this makes an easy to use package:
- configure default controller through config.yml
- import shipped routing file, supplying a base path if required
That's it. Anyone doing their own routing can just copy the sample file.
I don't think there is an easier way that is more transparent. We'd probably have to supply our own Router implementation to make this work without configuring .+
. I understand that this is not optimal, but on the other hand I don't think of it as a big issue for users.
for now we should use .+
(i really dislike opening security holes or attack possibilities), and find a solution for an empty name later.