Sylius v1.5.9 Release Notes
Release Date: 2020-01-27 // over 4 years ago-
CVE-2020-5218: Ability to switch channels via GET parameter enabled in production environments
โก๏ธ Please refer to the original security advisory for the most updated information.
Impact:
This vulnerability gives the ability to switch channels via the
_channel_code
GET parameter in production environments. This was meant to be enabled only when%kernel.debug%
is set to true.๐ง However, if no
sylius_channel.debug
is set explicitly in the configuration, the default value which is%kernel.debug%
will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.Patches:
Patch has been provided for Sylius 1.3.x and newer - 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.
โช Workarounds:
๐ง Unsupported versions could be patched by adding the following configuration to run in production:
sylius\_channel: debug: false
Details
- #9050 Added LazyCustomerLoader for OrderType of SyliusAdminApiBundle (@jdeveloper, @lchrusciel)
- #9844 Fix ShippingPercentageDiscountPromotionActionCommand.php (@cosyz2010, @Zales0123)
- #10863 [SyliusUserBundle] Improve output of Promote/DemoteUserCommand (@markbeazley)
- #10901 Fix missing colon (@reyostallenberg)
- ๐ #10909 [Taxation] [Shipping] Fixed issue with shipping zones available to select in tax rate form (and the other way) (@plewandowski)
- ๐ #10916 [Docs] Improve platform.sh documentation for deployment (@Tomanhez)
- #10922 fix: api URI for getting single product detail (@hsharghi)
- โก๏ธ #10923 [Maintenance] Update PR template with supported versions (@lchrusciel)
- ๐ #10926 Add lint:container command to the build & fix errors reported by it (@pamil)
- ๐ #10935 [Docs] Platform.sh cookbook refinement (@CoderMaggie)
- #10938 [Payum][Paypal] Use full price instead of discounted one (@Prometee)
- #10943 Yaml standards (@sspooky13, @pamil)
- 0๏ธโฃ #10947 [Channel] Prevent from adding default tax zone of a channel in a different scope than tax or all (@GSadee)
- ๐ง #10961 [Maintenance] Remove shipping bundle from spec namespace config (@lchrusciel)
- #10963 Fix phpspec also on 1.5 (@Zales0123, @pamil)
- #10964 [Behat] Disallow w3c in Behat Selenium session (@Zales0123)
- ๐ #10979 [Installation] Inform about BitBagCommerce/SyliusCmsPlugin after installing Sylius (@AdamKasp)
- ๐ #10995 Move Taxation core service from TaxationBundle to CoreBundle (@hmonglee)
- ๐ #11005 SyliusGridBundle downgrade lock (@Tomanhez, @lchrusciel)
- ๐ #11006 [API] Fixed OrderController save action issue in not html requests (@pfazzi)
- #11013 Fix typo in PromotionCouponFactoryInterface (@pamil)
- ๐ #11019 [Documentation] Add hint about disabling autowire when extending a controller (@adrianmarte)
- ๐ #11022 Clarify release process regarding PHP versions + update the table (@pamil)
- #11024 Replace unbound behat/mink dependency with tagged friends-of-behat/mink fork (@pamil)