Sylius v1.6.4 Release Notes
Release Date: 2019-12-05 // over 4 years ago-
๐ป CVE-2019-16768: Internal exception message exposure in login action.
Details:
๐ป Exception messages from internal exceptions (like database exception) are wrapped by
๐\Symfony\Component\Security\Core\Exception\AuthenticationServiceException
and propagated through the system to UI.
Therefore, some internal system information may leak and be visible to the customer.๐ฒ A validation message with the exception details will be presented to the user when one will try to log into the shop.
Solution:
๐ This release patches the reported vulnerability. The
src/Sylius/Bundle/UiBundle/Resources/views/Security/_login.html.twig
file from Sylius should be overridden and{{ messages.error(last_error.message) }}
changed to{{ messages.error(last_error.messageKey) }}
.Details
- ๐ #10835 Improve deprecation message for "Sylius\Bundle\CoreBundle\Application\Kernel" (@pamil)
- ๐ #10837 Remove unused templating engine from RemoveAvatarAction (@pamil)
- ๐ #10841 [Docs] Include link to ShopApi docs to REST API Reference (@Zales0123)
- โก๏ธ #10842 [Docs] Update core team (@lchrusciel)
- #10844 Clarify BC promise for final controllers (@pamil)
- #10846 [Order] Include order unit promotion adjustments and order item promotion adjustments in order promotion total (@Tomanhez)
- ๐ #10849 Move ShopApi reference to main menu (@Zales0123)
- #10853 [Behat][Admin][Order] Fix scenarios for displaying promotions on 1.6 after upmerge (@GSadee)
- ๐ #10855 [Docs] Open external links in a new tab (@Zales0123)
- #10857 Change readme banner (@kulczy)
- #10865 [Admin][Promotion] Fix the prevention of generating too many coupons (@GSadee)
- #10880 [Promotion] Improve coupon generation validation message (@GSadee)
- ๐ #10881 Add docs banner (@kulczy)
- โก๏ธ #10889 [Fixtures] Update product names (@CoderMaggie)
- ๐ #10890 Fix build - remove redundant validation message part (@Zales0123)
- ๐ #10891 Update release process docs for 1.2 (@pamil)