Affected versions
Symfony versions >=2.2.0, <2.36.0, >=3.0.0, <3.1.0 of the Symfony UX
Autocomplete component are affected by this security issue.
The issue has been fixed in Symfony 2.36.0, 3.1.0.
Description
Symfony builds
the LIKE expression used by the autocomplete endpoint by wrapping the
client-supplied query in %...% without escaping the SQL LIKE wildcards
(%, _, ). The value is passed as a bound parameter, so this is not
SQL injection, but a client can send % to match every row or use _ as a
single-character wildcard.
Because searchable_fields defaults to every property of the entity and the
autocomplete endpoint is public by default (BaseEntityAutocompleteType
ships with security => false), an unauthenticated user can turn the
endpoint into a broad matcher or a blind boolean oracle against every column of
the entity, including columns the application never intended to expose.
Resolution
EntitySearchUtil now escapes , %, and _ in the user-supplied
query with addcslashes() and appends an explicit ESCAPE '' clause to
the generated LIKE expression, so those characters are matched literally.
The exact-match words_query IN() branch is unchanged.
The patch for this issue is available here
for branch 2.x (and forward-ported to 3.x).
Credits
We would like to thank Pascal Cescon for reporting the issue and providing the
fix.
