From 7c78659e5e201461550c254fcb421a0693f63178 Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Mon, 8 Dec 2025 13:08:40 +0100 Subject: [PATCH 1/2] Update xmlseclibs to 3.1.4 --- CHANGELOG.md | 1 + composer.lock | 14 +++++++------- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 923997a4f..8992be283 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ Bugfixes: We do not think this vulnerability can be exploited in Engineblock, but if you are running EB in production, it might be wise to upgrade to this version anyway. +* Update xmlseclibs dependency to fix canonicalization bypass error ## 6.18.0 diff --git a/composer.lock b/composer.lock index 5008e0367..09183abfb 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "7dcd1508425a1b7a2d07485698a9c88c", + "content-hash": "b9dfa84eba00028f8b823b55d28c665d", "packages": [ { "name": "beberlei/assert", @@ -2679,16 +2679,16 @@ }, { "name": "robrichards/xmlseclibs", - "version": "3.1.3", + "version": "3.1.4", "source": { "type": "git", "url": "https://github.com/robrichards/xmlseclibs.git", - "reference": "2bdfd742624d739dfadbd415f00181b4a77aaf07" + "reference": "bc87389224c6de95802b505e5265b0ec2c5bcdbd" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/robrichards/xmlseclibs/zipball/2bdfd742624d739dfadbd415f00181b4a77aaf07", - "reference": "2bdfd742624d739dfadbd415f00181b4a77aaf07", + "url": "https://api.github.com/repos/robrichards/xmlseclibs/zipball/bc87389224c6de95802b505e5265b0ec2c5bcdbd", + "reference": "bc87389224c6de95802b505e5265b0ec2c5bcdbd", "shasum": "" }, "require": { @@ -2715,9 +2715,9 @@ ], "support": { "issues": "https://github.com/robrichards/xmlseclibs/issues", - "source": "https://github.com/robrichards/xmlseclibs/tree/3.1.3" + "source": "https://github.com/robrichards/xmlseclibs/tree/3.1.4" }, - "time": "2024-11-20T21:13:56+00:00" + "time": "2025-12-08T11:57:53+00:00" }, { "name": "sensio/framework-extra-bundle", From 573b74746e7792c4c99759cd30763dc8f344d7be Mon Sep 17 00:00:00 2001 From: Johan Kromhout Date: Tue, 9 Dec 2025 08:41:23 +0100 Subject: [PATCH 2/2] Fix Symfony pathinfo vulnerability patch Prior to this change, the patch was failing due to it being built for the incorrect version. This change fixes that and ensures the patch is applied correctly. --- composer.json | 2 +- patches/symfony-http-foundation-path-info-cve.patch | 11 +++-------- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/composer.json b/composer.json index 1ed6a7022..1a7d2d33f 100644 --- a/composer.json +++ b/composer.json @@ -130,7 +130,7 @@ } ], "patches": { - "symfony/http-foundation": { + "symfony/symfony": { "CVE fix for PATH_INFO vulnerability": "patches/symfony-http-foundation-path-info-cve.patch" } } diff --git a/patches/symfony-http-foundation-path-info-cve.patch b/patches/symfony-http-foundation-path-info-cve.patch index c97701643..ad1392884 100644 --- a/patches/symfony-http-foundation-path-info-cve.patch +++ b/patches/symfony-http-foundation-path-info-cve.patch @@ -1,8 +1,6 @@ ---- a/vendor/symfony/http-foundation/Request.php -+++ b/vendor/symfony/http-foundation/Request.php -@@ -1984,9 +1984,9 @@ class Request - } - +--- a/vendor/symfony/symfony/src/Symfony/Component/HttpFoundation/Request.php ++++ b/vendor/symfony/symfony/src/Symfony/Component/HttpFoundation/Request.php +@@ -2012,7 +2012,7 @@ class Request $pathInfo = substr($requestUri, \strlen($baseUrl)); - if (false === $pathInfo || '' === $pathInfo) { + if (false === $pathInfo || '' === $pathInfo || '/' !== $pathInfo[0]) { @@ -10,6 +8,3 @@ - return '/'; + return '/'.$pathInfo; } - - return $pathInfo; -