CVE-2019-16768: Internal exception message exposure in login action.
Details:
Exception messages from internal exceptions (like database exception) are wrapped by
\Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI.
Therefore, some internal system information may leak and be visible to the customer.
A validation message with the exception details will be presented to the user when one will try to log into the shop.
Solution:
This release patches the reported vulnerability. The src/Sylius/Bundle/UiBundle/Resources/views/Security/_login.html.twig
file from Sylius should be overridden and {{ messages.error(last_error.message) }} changed to {{ messages.error(last_error.messageKey) }}.
Details
- #10835 Improve deprecation message for "Sylius\Bundle\CoreBundle\Application\Kernel" (@pamil)
- #10837 Remove unused templating engine from RemoveAvatarAction (@pamil)
- #10841 [Docs] Include link to ShopApi docs to REST API Reference (@Zales0123)
- #10842 [Docs] Update core team (@lchrusciel)
- #10844 Clarify BC promise for final controllers (@pamil)
- #10846 [Order] Include order unit promotion adjustments and order item promotion adjustments in order promotion total (@Tomanhez)
- #10849 Move ShopApi reference to main menu (@Zales0123)
- #10853 [Behat][Admin][Order] Fix scenarios for displaying promotions on 1.6 after upmerge (@GSadee)
- #10855 [Docs] Open external links in a new tab (@Zales0123)
- #10857 Change readme banner (@kulczy)
- #10865 [Admin][Promotion] Fix the prevention of generating too many coupons (@GSadee)
- #10880 [Promotion] Improve coupon generation validation message (@GSadee)
- #10881 Add docs banner (@kulczy)
- #10889 [Fixtures] Update product names (@CoderMaggie)
- #10890 Fix build - remove redundant validation message part (@Zales0123)
- #10891 Update release process docs for 1.2 (@pamil)