Releases: willdurand/BazingaJsTranslationBundle
2.2.1 (2015-04-13)
86420a6
willdurand
William Durand
- Fixed: documentation (change the doc to let composer guess the version constraint)
- Fixed: now using chmod 0777 on all occurrences of mkdir
2.2.0 (2015-01-03) — First Release in 2015!
- Added: allow to set expiration time for translations
- Added: news parameters active locales and active domains
- Fixed: don’t make the fallback locale the only one active
2.1.4 (2014-11-03)
Fixed: allow all sort of locales (see #119)
2.1.3 (2014-10-29)
Fixed: better locale filtering
2.1.2 (2014-10-27)
- Added: docs for Angular integration
- Fixed: fallback path through multipart locales
- Fixed: travis-ci configuration
2.1.1 (2014-07-29) - Security Fix - Please update NOW!
This is a security release. All users MUST upgrade to this release to prevent two potential security issues:
- path traversal attack
- remote code injection
These two security issues have been reported by Andreas Forsblom. THANKS!
Below is the original report Andreas sent me:
Hi William,
First, thank you for a very useful bundle :)
Unfortunately, while investigating if a Symfony project I'm working on was vulnerable to the recent translation-related Symfony security issue (CVE-2014-4931), fixed in Symfony 2.5.2, I discovered that JsTranslationBundle seems to be vulnerable to a unrelated path traversal attack, and potentially also a js injection attack.
---
If I try to retrieve the translations using the following url:
http://localhost/translations?locales=randomstring/something
the file something.js gets created in the subdirectory messages.randomstring of the cache directory:
/var/www/someproject/app/cache/dev/bazinga-js-translation/messages.randomstring/something.js
(this is the actual string that gets passed to the constructor of ConfigCache by the JsTranslationBundle controller)
I can now traverse down from the JsTranslationBundle cache directory (without first creating the "messages.randomstring" directory using the previous step, this won't work):
http://localhost/translations?locales=randomstring/../../evil
becomes
/var/www/someproject/app/cache/dev/bazinga-js-translation/messages.randomstring/../../evil.js
... and depending on the configuration of the server, I could also do
http://localhost/translations?locales=randomstring/../../../../../web/evil
=>
/var/www/someproject/app/cache/dev/bazinga-js-translation/messages.randomstring/../../../../../web/evil.js
thus creating the file evil.js (and evil.js.meta) under the Symfony web root. Depending on file system permissions, this will also overwrite existing files.
---
Again depending on the server configuration, it also seems to be possible to inject actual JavaScript code:
http://localhost/translations?locales=foo%0Auncommented%20code;
=>
(function (Translator) {
Translator.fallback = 'en';
Translator.defaultDomain = 'messages';
// foo
uncommented code;
})(Translator);
This works on some systems I tried, but not others. I suspect it might be related to the character set configuration, but I haven't investigated it further yet.
---
I did my testing using JsTranslationBundle 2.1.0 and Symfony 2.5.2.
Since this is a security issue, I didn't want to submit a pull request or use the GitHub issue tracker.
Three commits fixed these issues: df6c0fd, 7accee9, and 6ee06b9.
You will find three patch files below in case you can't easily upgrade to this release.
Changelog
- Fixed: hange test related to path traversal attack
- Fixed: potential code injection via
localeparameter - Added: test to prove a path traversal attack
- Added: HHVM support in travis-ci
2.1.0 (2014-04-25)
- Added: retry on locale fallback in case of locale exists but not the domain
- Added: tests when using
es5-shimandtransChoicein MSIE8 - Added: support for
pt-BRlang attribute - Fixed: prevent iterating over shim-ed
Array.prototypemethods
Important: This bundle is now tested against PHP 5.4, 5.5, and 5.6. No effort will be made to keep the code "5.3 compliant".
Thanks to all contributors!
1.2.2 - Symfony 2.1 Compatibility Fix
- Fixed: Symfony 2.1 is now supported again
Release 2.0.0 — Yeah!
After having released four pre-release versions (2.0.0-alpha1, 2.0.0-alpha2, 2.0.0-alpha3, and 2.0.0-alpha4), the first new stable major version, aka 2.0.0, is released!
You will find all the details in the different pre-release descriptions linked above. Don't forget to read the bundled UPGRADE file. The documentation is up to date too.
🚢 ⭐ 🌠 🌟 🎉 💥 🍰 🍬
Thanks!
2.0.0-alpha4 - Fourth release before the upcoming major version!
The package name has been renamed from willdurand/expose-translation-bundle to willdurand/js-translation-bundle. This release "replaces" the old package with the new one.