Please refer to the original security advisory for the most updated information.
Impact:
This vulnerability gives the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when %kernel.debug% is set to true.
However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is %kernel.debug% will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.
Patches:
Patch has been provided for Sylius 1.3.x and newer - 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.
Workarounds:
Unsupported versions could be patched by adding the following configuration to run in production:
sylius_channel:
debug: false- #9050 Added LazyCustomerLoader for OrderType of SyliusAdminApiBundle (@jdeveloper, @lchrusciel)
- #9844 Fix ShippingPercentageDiscountPromotionActionCommand.php (@cosyz2010, @Zales0123)
- #10863 [SyliusUserBundle] Improve output of Promote/DemoteUserCommand (@markbeazley)
- #10901 Fix missing colon (@reyostallenberg)
- #10909 [Taxation] [Shipping] Fixed issue with shipping zones available to select in tax rate form (and the other way) (@plewandowski)
- #10916 [Docs] Improve platform.sh documentation for deployment (@Tomanhez)
- #10922 fix: api URI for getting single product detail (@hsharghi)
- #10923 [Maintenance] Update PR template with supported versions (@lchrusciel)
- #10926 Add lint:container command to the build & fix errors reported by it (@pamil)
- #10935 [Docs] Platform.sh cookbook refinement (@CoderMaggie)
- #10938 [Payum][Paypal] Use full price instead of discounted one (@Prometee)
- #10943 Yaml standards (@sspooky13, @pamil)
- #10947 [Channel] Prevent from adding default tax zone of a channel in a different scope than tax or all (@GSadee)
- #10961 [Maintenance] Remove shipping bundle from spec namespace config (@lchrusciel)
- #10963 Fix phpspec also on 1.5 (@Zales0123, @pamil)
- #10964 [Behat] Disallow w3c in Behat Selenium session (@Zales0123)
- #10979 [Installation] Inform about BitBagCommerce/SyliusCmsPlugin after installing Sylius (@AdamKasp)
- #10995 Move Taxation core service from TaxationBundle to CoreBundle (@hmonglee)
- #11005 SyliusGridBundle downgrade lock (@Tomanhez, @lchrusciel)
- #11006 [API] Fixed OrderController save action issue in not html requests (@pfazzi)
- #11013 Fix typo in PromotionCouponFactoryInterface (@pamil)
- #11019 [Documentation] Add hint about disabling autowire when extending a controller (@adrianmarte)
- #11022 Clarify release process regarding PHP versions + update the table (@pamil)
- #11024 Replace unbound behat/mink dependency with tagged friends-of-behat/mink fork (@pamil)
Details:
Exception messages from internal exceptions (like database exception) are wrapped by
\Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI.
Therefore, some internal system information may leak and be visible to the customer.
A validation message with the exception details will be presented to the user when one will try to log into the shop.
Solution:
This release patches the reported vulnerability. The src/Sylius/Bundle/UiBundle/Resources/views/Security/_login.html.twig
file from Sylius should be overridden and {{ messages.error(last_error.message) }} changed to {{ messages.error(last_error.messageKey) }}.
- #10835 Improve deprecation message for "Sylius\Bundle\CoreBundle\Application\Kernel" (@pamil)
- #10841 [Docs] Include link to ShopApi docs to REST API Reference (@Zales0123)
- #10846 [Order] Include order unit promotion adjustments and order item promotion adjustments in order promotion total (@Tomanhez)
- #10849 Move ShopApi reference to main menu (@Zales0123)
- #10855 [Docs] Open external links in a new tab (@Zales0123)
- #10857 Change readme banner (@kulczy)
- #10880 [Promotion] Improve coupon generation validation message (@GSadee)
- #10881 Add docs banner (@kulczy)
- #10891 Update release process docs for 1.2 (@pamil)
- #9931 [Payum] infinite loop on state machine exception fixed (@tautelis)
- #10734 Added: TimestampableInterface to core TaxonInterface (fixes #10728) (@igormukhingmailcom)
- #10748 Switch statement conditions (@mikemix)
- #10750 Fix compound form errors (@loic425)
- #10752 Translate attribute type on attributes grid (@loic425)
- #10755 [Docs] Add tag that stripe is outdated and add SCA note (@Tomanhez, @GSadee)
- #10761 Replace EntityManager#flush($entity) by EntityManager#flush() (@twojtylak)
- #10764 [Behat] Fix a typo on Paypal context (@loic425)
- #10769 Remove unsupported RBAC plugin from command and docs (@GSadee)
- #10773 Update ad url (@kulczy)
- #10776 [Behat] Remove final on product index and product variant index pages (@loic425)
- #10781 Allow no default tax zone in channel fixtures (@pamil)
- #10790 [ShippingMethod] Do not allow to specify shipping charge below 0 (@Zales0123)
- #10792 [Behat][Admin] Add scenarios for validating default locale for a channel (@GSadee)
- #10793 [Admin][Channel] Validating default locale for a channel (@GSadee)
- #10805 [Addressing] Make sure the CountryNameExtension::translateCountryIsoCode() always returns a string (@vvasiloi)
- #10806 [Order] include order promotion adjustments in order promotion total (@vvasiloi)
- #10819 Fixed: Typo/artifact (@igormukhingmailcom)
- #10820 Rename shop user factory to help autowiring (@loic425)
- #10821 Specify PHP version for SymfonyInsights (@pamil)
- #10823 Remove unnecessary +x chmod on some files (@pamil)
- #10824 Use SessionInterface instead of Session in UserImpersonator (@pamil)
- #10825 Fixed: Typo at grid configuration example (@igormukhingmailcom)
- #10826 Execute PHPUnit tests inside AdminApiBundle (@pamil)
- #10832 Do not merge promotion action configuration (@pamil)
- #10641 [Documentation] Fixtures customization guides - fixes (@CoderMaggie, @Zales0123)
- #10644 [Documentation] Add tip about locked adjustments (@j0r1s)
- #10645 [Docs] Fix Blackfire Ad (@Tomanhez)
- #10646 [Docs] Fix Ad (@Tomanhez)
- #10649 Update online course ad (@kulczy)
- #10652 Add Sylius 1.6 banner to the docs (@kulczy)
- #10667 Improve GUS information notification (@Zales0123)
- #10680 Fix ChannelCollector related serialization issue in Symfony profiler (@ostrolucky)
- #10701 [Maintenance] Update docs with v1.6 (@lchrusciel)
- #10710 [Address book] Extensibility improvements (@cyrosy)
- #10713 [Behat] Improve dashboard page extensibility (@loic425)
- #10727 Fix channels label size and alignment (@kulczy)
- #10732 Update course ad (@kulczy)
- #10739 [Admin][Adressing] fixed province code validation regex (@twojtylak)
- #10742 Fix the build for 1.5 and 1.6 branches (@pamil)
- #10395 [Docs] How to add your custom fixtures? (@Tomanhez)
- #10397 [Docs]How to add your custom fixture suites? (@Tomanhez)
- #10512 [Admin] Improve breadcrumbs (especially for ProductVariants and PromotionCoupons) (@CoderMaggie)
- #10540 Skip oauth_user_factory_is_not_overridden test if HWIOAuthBundle is not installed (@vvasiloi)
- #10553 Flags are not languages (@vvasiloi)
- #10558 Allow translation of custom labels (@Prometee)
- #10564 [Fixture] Improve order fixture (@Zales0123)
- #10571 Update custom-promotion-rule.rst (@jmwill86)
- #10579 Fix lazy choice tree will not automatically expanded (@tom10271)
- #10583 Enable sorting of customer orders in admin panel (@pamil)
- #10589 [Documentation][Cookbook] How to integrate a Payment Gateway as a Plugin? (@lchrusciel)
- #10598 Add course ad (@kulczy)
- #10599 [Documentation] Delete additional lines to remove ShopBundle (@wpje)
- #10600 [Documentation][Minor] Removing redundant dots (@lchrusciel)
- #10601 Change course CTA (@kulczy)
- #10603 [Shop] Promotion integrity checker fix (@lchrusciel)
- #10605 [Admin][Shipment] Not displaying shipments in cart state on the list (@GSadee)
- #10608 [Docs] Fix incorrect documentation regarding payments (@dimaip)
- #10609 [Documentation][Minor] Proper comment in xml file (@lchrusciel)
- #10613 [PayumBundle] Use Payment amount in Payum gateways actions (, @Zales0123)
- #10618 [Fixtures] Allow no shipping and payments in fixtures (@igormukhingmailcom, @Zales0123)
- #10624 Disable chrome autocomplete (@kulczy)
- #10626 [Fixture] Do not skip payments and shipments manually (@Zales0123)
- #10629 [Docs] Add missing items to customization guide menu (@Zales0123)
- #10633 Add Blackfire ad (@kulczy)
- #10634 Add Blackfire logo (@kulczy)
- #10069 [ShopBundle][PayumBundle] FIX payum authorize route (@JaisDK, @pamil, @lchrusciel)
- #10116 Allow nullable shop billing data (@Zales0123, @pamil)
- #10121 [GridBundle] Doc improvement (@Roshyo)
- #10149 Add index on order.cart + order.updated_at for faster expired cart removal selection (@stefandoorn)
- #10161 Orders index API endpoint (@JaisDK, @Zales0123)
- #10163 [BuildFix] Fix AbstractMigration use statement (@Zales0123)
- #10166 ShopBillingData fixtures (@Zales0123)
- #10199 Allowing options to be given with resource[0].id syntax (@Roshyo)
- #10202 Expanding the customer fixtures (@mamazu)
- #10209 [Shop] Use first variant image on a cart page (@castler, @Zales0123)
- #10212 Update UPGRADE-1.3.md diff link (@oallain)
- #10233 Payment status at order history page (@AdamKasp)
- #10234 Orders shipment status (@Tomanhez)
- #10240 #9965 Feature/local in sylius install (@oallain)
- #10249 Browsing shipments (@AdamKasp)
- #10250 See Manage coupons from template edit promotion (@Tomanhez)
- #10258 Changing shipment state in shipment index (@AdamKasp)
- #10260 Show order directly from shipments page (@AdamKasp)
- #10271 select filter + filter shipment by state (@AdamKasp)
- #10281 Improved: Product fixture (fixed #10272) (@igormukhingmailcom)
- #10310 [PromotionCoupon] Non reusable coupons after cancelling the orders (@GSadee)
- #10316 [Admin][Product] Access the variants management from product edit page (@GSadee)
- #10318 [Admin][Promotion] Update promotion menu builder name to be consistent with other (@GSadee)
- #10346 Fix the master build by requiring ^1.5 Grid & GridBundle (@pamil)
- #10380 [Behat] Fix duplicate step definition (@Zales0123)
- #10410 Fix typo (@dnna)
- #10496 [UPGRADE] Mention locale requirement change in UPGRADE-1.5 (@Zales0123)
- #10191 [taxon_fixtures] Fix child taxon slug generation (@tannyl)
- #10371 [Docs] How to find out the resource config required when customizing models (@4c0n)
- #10384 "Getting Started with Sylius" guide (@Zales0123, @CoderMaggie)
- #10389 [UI] Hide filters by default on index pages (@Zales0123, @pamil)
- #10404 Fix huge autocomplete queries issue (@bitbager, @pamil)
- #10410 Fix typo (@dnna)
- #10412 [Docs] Added tip for using group sequence validations (@4c0n)
- #10423 [Doc] End of bugfix support for 1.3 (@lchrusciel)
- #10426 Using client from browser kit component instead of http kernel component (@loevgaard)
- #10432 Add known errors section to UPGRADE file (@pamil)
- #10433 Bump fstream from 1.0.11 to 1.0.12 (@dependabot[@bot])
- #10440 Fix removing taxons with numeric codes from products (@vvasiloi)
- #10445 Fix typos and grammar in the Getting Started guide (@pamil)
- #10446 Update the 1.1 version status in the release process docs (@pamil)
- #10450 Fix interfaces mapping in Doctrine for admin user and shop user (@pamil)
- #10462 [Docs] Update Sylius versions in installation and contribution guides (@GSadee)
- #10364 As an Administrator, I want always to have proper option values selected while editing a product variant (@Tomanhez, @monro93)
- #10372 Image display in edit form (@AdamKasp)
- #10375 [Docs] Update "Customizing State Machine" (@AdamKasp)
- #10386 [Build Fix][Behat] Change scenarios to @javascript due to taxon tree changes (@Zales0123)
- #10394 Fix error caused by the taxon tree (@kulczy)
- #10407 Bump the Sylius release versions in docs (@teohhanhui)
- #10414 Use HTTPS links when possible (@javiereguiluz)
- Extracted packages from the core (#10325, #10326, #10327)
- Added order index API endpoint (#10161)
- Added ability to customise whether coupons should be reusable after canceling an order using them (#10310)
- Added shipments list view in the admin panel (#10249)
- Added ability to define locale used by Sylius during the installation (#10240)
- #10069 [ShopBundle][PayumBundle] FIX payum authorize route (@JaisDK, @pamil, @lchrusciel)
- #10116 Allow nullable shop billing data (@Zales0123, @pamil)
- #10121 [GridBundle] Doc improvement (@Roshyo)
- #10149 Add index on order.cart + order.updated_at for faster expired cart removal selection (@stefandoorn)
- #10161 Orders index API endpoint (@JaisDK, @Zales0123)
- #10163 [BuildFix] Fix AbstractMigration use statement (@Zales0123)
- #10166 ShopBillingData fixtures (@Zales0123)
- #10199 Allowing options to be given with resource[0].id syntax (@Roshyo)
- #10202 Expanding the customer fixtures (@mamazu)
- #10209 [Shop] Use first variant image on a cart page (@castler, @Zales0123)
- #10233 Payment status at order history page (@AdamKasp)
- #10234 Orders shipment status (@Tomanhez)
- #10240 #9965 Feature/local in sylius install (@oallain)
- #10249 Browsing shipments (@AdamKasp)
- #10250 See Manage coupons from template edit promotion (@Tomanhez)
- #10258 Changing shipment state in shipment index (@AdamKasp)
- #10260 Show order directly from shipments page (@AdamKasp)
- #10271 select filter + filter shipment by state (@AdamKasp)
- #10281 Improved: Product fixture (fixed #10272) (@igormukhingmailcom)
- #10310 [PromotionCoupon] Non reusable coupons after cancelling the orders (@GSadee)
- #10316 [Admin][Product] Access the variants management from product edit page (@GSadee)
- #10318 [Admin][Promotion] Update promotion menu builder name to be consistent with other (@GSadee)
- #10346 Fix the master build by requiring ^1.5 Grid & GridBundle (@pamil)
Will be provided for the stable release.
- #10069 [ShopBundle][PayumBundle] FIX payum authorize route (@JaisDK, @pamil, @lchrusciel)
- #10116 Allow nullable shop billing data (@Zales0123, @pamil)
- #10121 [GridBundle] Doc improvement (@Roshyo)
- #10149 Add index on order.cart + order.updated_at for faster expired cart removal selection (@stefandoorn)
- #10161 Orders index API endpoint (@JaisDK, @Zales0123)
- #10163 [BuildFix] Fix AbstractMigration use statement (@Zales0123)
- #10166 ShopBillingData fixtures (@Zales0123)
- #10199 Allowing options to be given with resource[0].id syntax (@Roshyo)
- #10202 Expanding the customer fixtures (@mamazu)
- #10209 [Shop] Use first variant image on a cart page (@castler, @Zales0123)
- #10212 Update UPGRADE-1.3.md diff link (@oallain)
- #10233 Payment status at order history page (@AdamKasp)
- #10234 Orders shipment status (@Tomanhez)
- #10240 #9965 Feature/local in sylius install (@oallain)
- #10249 Browsing shipments (@AdamKasp)
- #10250 See Manage coupons from template edit promotion (@Tomanhez)
- #10258 Changing shipment state in shipment index (@AdamKasp)
- #10260 Show order directly from shipments page (@AdamKasp)
- #10271 select filter + filter shipment by state (@AdamKasp)
- #10281 Improved: Product fixture (fixed #10272) (@igormukhingmailcom)
- #10310 [PromotionCoupon] Non reusable coupons after cancelling the orders (@GSadee)
- #10316 [Admin][Product] Access the variants management from product edit page (@GSadee)
- #10318 [Admin][Promotion] Update promotion menu builder name to be consistent with other (@GSadee)
- #10346 Fix the master build by requiring ^1.5 Grid & GridBundle (@pamil)