Affected versions
Symfony versions >=2.5.0, <2.36.0, >=3.0.0, <3.1.0 of the Symfony UX Live
Component component are affected by this security issue.
The issue has been fixed in Symfony 2.36.0, 3.1.0.
Description
Symfony
iterates over the client-supplied actions array and issues a full
HttpKernel sub-request for each entry (event subscribers, validators,
Doctrine, rendering). The array size is never bounded, so an authenticated
client can submit a single _batch request containing thousands of actions
and exhaust CPU, memory, and database connections on the application server.
Resolution
BatchActionController now enforces an upper bound of 50 actions per
_batch request (MAX_ACTIONS_PER_BATCH) and rejects larger payloads up
front with a BadRequestHttpException. The matching JavaScript backend was
also updated to split larger client-side batches into multiple requests so
legitimate usage isn’t affected.
The patch for this issue is available here
for branch 2.x (and forward-ported to 3.x).
Credits
We would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume
for providing the fix.
