Sylius/Sylius v1.5.9

on GitHub

CVE-2020-5218: Ability to switch channels via GET parameter enabled in production environments

Please refer to the original security advisory for the most updated information.

Impact:

This vulnerability gives the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when %kernel.debug% is set to true.

However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is %kernel.debug% will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.

Patches:

Patch has been provided for Sylius 1.3.x and newer - 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.

Workarounds:

Unsupported versions could be patched by adding the following configuration to run in production:

sylius_channel:
    debug: false

Details

• #9050 Added LazyCustomerLoader for OrderType of SyliusAdminApiBundle (@jdeveloper, @lchrusciel)
• #9844 Fix ShippingPercentageDiscountPromotionActionCommand.php (@cosyz2010, @Zales0123)
• #10863 [SyliusUserBundle] Improve output of Promote/DemoteUserCommand (@markbeazley)
• #10901 Fix missing colon (@reyostallenberg)
• #10909 [Taxation] [Shipping] Fixed issue with shipping zones available to select in tax rate form (and the other way) (@plewandowski)
• #10916 [Docs] Improve platform.sh documentation for deployment (@Tomanhez)
• #10922 fix: api URI for getting single product detail (@hsharghi)
• #10923 [Maintenance] Update PR template with supported versions (@lchrusciel)
• #10926 Add lint:container command to the build & fix errors reported by it (@pamil)
• #10935 [Docs] Platform.sh cookbook refinement (@CoderMaggie)
• #10938 [Payum][Paypal] Use full price instead of discounted one (@Prometee)
• #10943 Yaml standards (@sspooky13, @pamil)
• #10947 [Channel] Prevent from adding default tax zone of a channel in a different scope than tax or all (@GSadee)
• #10961 [Maintenance] Remove shipping bundle from spec namespace config (@lchrusciel)
• #10963 Fix phpspec also on 1.5 (@Zales0123, @pamil)
• #10964 [Behat] Disallow w3c in Behat Selenium session (@Zales0123)
• #10979 [Installation] Inform about BitBagCommerce/SyliusCmsPlugin after installing Sylius (@AdamKasp)
• #10995 Move Taxation core service from TaxationBundle to CoreBundle (@hmonglee)
• #11005 SyliusGridBundle downgrade lock (@Tomanhez, @lchrusciel)
• #11006 [API] Fixed OrderController save action issue in not html requests (@pfazzi)
• #11013 Fix typo in PromotionCouponFactoryInterface (@pamil)
• #11019 [Documentation] Add hint about disabling autowire when extending a controller (@adrianmarte)
• #11022 Clarify release process regarding PHP versions + update the table (@pamil)
• #11024 Replace unbound behat/mink dependency with tagged friends-of-behat/mink fork (@pamil)