Skip to content

Release/6.18.2 #1896

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
johanib wants to merge 2 commits into
base: release/6.18
Choose a base branch
from
Open

Release/6.18.2 #1896

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7c78659
Update xmlseclibs to 3.1.4
baszoetekouw Dec 8, 2025
573b747
Fix Symfony pathinfo vulnerability patch
johanib Dec 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ Bugfixes:

We do not think this vulnerability can be exploited in Engineblock, but if
you are running EB in production, it might be wise to upgrade to this version anyway.
* Update xmlseclibs dependency to fix canonicalization bypass error

## 6.18.0

Expand Down
2 changes: 1 addition & 1 deletion composer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@
}
],
"patches": {
"symfony/http-foundation": {
"symfony/symfony": {
"CVE fix for PATH_INFO vulnerability": "patches/symfony-http-foundation-path-info-cve.patch"
}
}
Expand Down
14 changes: 7 additions & 7 deletions composer.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

11 changes: 3 additions & 8 deletions patches/symfony-http-foundation-path-info-cve.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,10 @@
--- a/vendor/symfony/http-foundation/Request.php
+++ b/vendor/symfony/http-foundation/Request.php
@@ -1984,9 +1984,9 @@ class Request
}

--- a/vendor/symfony/symfony/src/Symfony/Component/HttpFoundation/Request.php
+++ b/vendor/symfony/symfony/src/Symfony/Component/HttpFoundation/Request.php
@@ -2012,7 +2012,7 @@ class Request
$pathInfo = substr($requestUri, \strlen($baseUrl));
- if (false === $pathInfo || '' === $pathInfo) {
+ if (false === $pathInfo || '' === $pathInfo || '/' !== $pathInfo[0]) {
// If substr() returns false then PATH_INFO is set to an empty string
- return '/';
+ return '/'.$pathInfo;
}

return $pathInfo;