Please refer to the original security advisory for the most updated information.
Impact:
This vulnerability gives the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when %kernel.debug% is set to true.
However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is %kernel.debug% will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.
Patches:
Patch has been provided for Sylius 1.3.x and newer - 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.
Workarounds:
Unsupported versions could be patched by adding the following configuration to run in production:
sylius_channel:
debug: falseDetails:
Exception messages from internal exceptions (like database exception) are wrapped by
\Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI.
Therefore, some internal system information may leak and be visible to the customer.
A validation message with the exception details will be presented to the user when one will try to log into the shop.
Solution:
This release patches the reported vulnerability. The src/Sylius/Bundle/UiBundle/Resources/views/Security/_login.html.twig
file from Sylius should be overridden and {{ messages.error(last_error.message) }} changed to {{ messages.error(last_error.messageKey) }}.
The last bugfix release for v1.4.x.
- #10641 [Documentation] Fixtures customization guides - fixes (@CoderMaggie, @Zales0123)
- #10645 [Docs] Fix Blackfire Ad (@Tomanhez)
- #10646 [Docs] Fix Ad (@Tomanhez)
- #10649 Update online course ad (@kulczy)
- #10652 Add Sylius 1.6 banner to the docs (@kulczy)
- #10680 Fix ChannelCollector related serialization issue in Symfony profiler (@ostrolucky)
- #10701 [Maintenance] Update docs with v1.6 (@lchrusciel)
- #10710 [Address book] Extensibility improvements (@cyrosy)
- #10713 [Behat] Improve dashboard page extensibility (@loic425)
- #10727 Fix channels label size and alignment (@kulczy)
- #10732 Update course ad (@kulczy)
- #10739 [Admin][Adressing] fixed province code validation regex (@twojtylak)
- #10395 [Docs] How to add your custom fixtures? (@Tomanhez)
- #10397 [Docs]How to add your custom fixture suites? (@Tomanhez)
- #10512 [Admin] Improve breadcrumbs (especially for ProductVariants and PromotionCoupons) (@CoderMaggie)
- #10540 Skip oauth_user_factory_is_not_overridden test if HWIOAuthBundle is not installed (@vvasiloi)
- #10553 Flags are not languages (@vvasiloi)
- #10558 Allow translation of custom labels (@Prometee)
- #10564 [Fixture] Improve order fixture (@Zales0123)
- #10571 Update custom-promotion-rule.rst (@jmwill86)
- #10579 Fix lazy choice tree will not automatically expanded (@tom10271)
- #10583 Enable sorting of customer orders in admin panel (@pamil)
- #10598 Add course ad (@kulczy)
- #10599 [Documentation] Delete additional lines to remove ShopBundle (@wpje)
- #10601 Change course CTA (@kulczy)
- #10603 [Shop] Promotion integrity checker fix (@lchrusciel)
- #10618 [Fixtures] Allow no shipping and payments in fixtures (@igormukhingmailcom, @Zales0123)
- #10624 Disable chrome autocomplete (@kulczy)
- #10626 [Fixture] Do not skip payments and shipments manually (@Zales0123)
- #10629 [Docs] Add missing items to customization guide menu (@Zales0123)
- #10633 Add Blackfire ad (@kulczy)
- #10634 Add Blackfire logo (@kulczy)
- #10165 Product attribute fixtures improvements (@Zales0123, @pamil)
- #10401 Psalm (@loic425, @pamil)
- #10464 Do not crash when duplicated locales are passed to the fixture (@pamil)
- #10468 Remove Symfony workarounds and add conflicts (@pamil)
- #10473 Update docs to follow Symfony 4 standards (@pamil)
- #10488 Marked router dependency as deprecated in admin ImpersonateUserController (@SebLours)
- #10489 Make it possible to have no shipping methods for Order fixtures (@TiMESPLiNTER)
- #10492 [Admin] Minor fixes customer group validation form (@Tomanhez)
- #10494 [UI] Fix button groups radius (@kulczy)
- #10498 Add search bar css rule for Firefox (@aloupfor)
- #10508 Revert "Make it possible to have no shipping methods for Order fixtures" (@lchrusciel)
- #10509 [Admin] Add link to product in variant breadcrumb (@Tomanhez)
- #10517 [Grid] Allow not to pass "apply_transition" button class (@Zales0123)
- #10525 Bump lodash from 4.17.11 to 4.17.14 (@dependabot[@bot])
- #10535 [Shop] Fix passed channel context service to be composite (@GSadee)
- #10548 [HotFix?] Move mysql service to fix the build (@Zales0123)
- #10191 [taxon_fixtures] Fix child taxon slug generation (@tannyl)
- #10371 [Docs] How to find out the resource config required when customizing models (@4c0n)
- #10384 "Getting Started with Sylius" guide (@Zales0123, @CoderMaggie)
- #10389 [UI] Hide filters by default on index pages (@Zales0123, @pamil)
- #10404 Fix huge autocomplete queries issue (@bitbager, @pamil)
- #10412 [Docs] Added tip for using group sequence validations (@4c0n)
- #10423 [Doc] End of bugfix support for 1.3 (@lchrusciel)
- #10426 Using client from browser kit component instead of http kernel component (@loevgaard)
- #10432 Add known errors section to UPGRADE file (@pamil)
- #10433 Bump fstream from 1.0.11 to 1.0.12 (@dependabot[@bot])
- #10440 Fix removing taxons with numeric codes from products (@vvasiloi)
- #10445 Fix typos and grammar in the Getting Started guide (@pamil)
- #10446 Update the 1.1 version status in the release process docs (@pamil)
- #10450 Fix interfaces mapping in Doctrine for admin user and shop user (@pamil)
- #10462 [Docs] Update Sylius versions in installation and contribution guides (@GSadee)
- #10228 Improve taxon UI (@kulczy, @Zales0123)
- #10290 [Docs] Update "Customizing Repositories" (@AdamKasp)
- #10299 [Docs] Update "Customizing Models" (@Tomanhez)
- #10314 [Docs] Update "Customizing Forms" (@Tomanhez)
- #10315 [Docs] Update "Customizing Factories" (@Tomanhez)
- #10330 [Docs] Update "Customizing Controllers" (@Tomanhez)
- #10344 [Docs] Update "Customizing Templates" (@Tomanhez)
- #10348 [Docs] Update "customizing menus" (@AdamKasp)
- #10349 [Docs] Update "Customizing Validation" (@AdamKasp)
- #10351 [Docs] Update "Customizing translations" (@AdamKasp)
- #10353 [Docs] Update "Customization flashes " (@AdamKasp)
- #10359 [Docs] Update "Customizing Grids" (@Tomanhez)
- #10363 [Behat][Shop] Wait for province form loading (@Zales0123)
- #10364 As an Administrator, I want always to have proper option values selected while editing a product variant (@Tomanhez, @monro93)
- #10365 [Admin][Promotion] Fix removing taxon used in promotion rule (@GSadee)
- #10372 Image display in edit form (@AdamKasp)
- #10375 [Docs] Update "Customizing State Machine" (@AdamKasp)
- #10378 update documentation how to use api (@CSchulz)
- #10386 [Build Fix][Behat] Change scenarios to @javascript due to taxon tree changes (@Zales0123)
- #10394 Fix error caused by the taxon tree (@kulczy)
- #10407 Bump the Sylius release versions in docs (@teohhanhui)
- #10414 Use HTTPS links when possible (@javiereguiluz)
- #10304 [Docs] Update contributing guide (@Tomanhez)
- #10308 Fix base locale (@igormukhingmailcom)
- #10309 Do not depend on transient dependencies for "symfony/intl" package (@pamil)
- #10320 fix OrderBundle depends on Core component #10319 ()
- #10324 Add a workaround for GridBundle & Symfony 4.2.7 to make tests passing (@pamil)
- #10325 Extract Mailer component & bundle (@pamil)
- #10326 [WIP] Extract Grid component & bundle (@pamil)
- #10327 [WIP] Extract Resource component & bundle (@pamil)
- #10328 Remove dead configuration related to pre-stable Sylius RBAC (@pamil)
- #10331 [Shop] Update grid action and filter keys to decouple shop from admin (@GSadee)
- #10335 Bring back "pay" grid action for backwards compatibility (@pamil)
- #10338 Removing unused service (@loevgaard)
- #10340 Fix #9646 by removing lambdas in JS file (@tchapi)
- #10341 Revert "Fix base locale" (@pamil)
- #10350 fix default repository for variant and association type resources (@loic425)
- #10352 Update documentation products.rst (@tom-schmitz)
- #10356 Quick fix product variants api invalid json (@shql)
- #10357 Fix wrong use statement in example (@teohhanhui)
- #10358 [Maintenance] Upgrade minimal jquery version (@lchrusciel)
- #10360 Revert "fix default repository for variant and association type resources" (@lchrusciel)
- #10362 Update release process with dates for 1.5 - 1.7 releases (@pamil)
- #10178 Wrong regular expression for locale (@superbull)
- #10276 Upgrade flex to use composer dump-env (@loic425)
- #10279 [Documentation][ResourceBundle] 7.1. Overriding the Template and Criteria invalid config (@kboduch)
- #10283 [UserBundle] Fix user comparaison on user delete listener (@loic425)
- #10289 Fix re-authenticating for impersonated users (@semin-lev, @lchrusciel)
- #10294 [Docs] Fix presentation of "How to configure mailer" cookbook (@theyoux)
- #10298 [DOC][Installation] Fix minor typo (@MatthieuCutin)
- #10301 Adopt Symfony 4 directory structure in docs (@pamil)
- #9902 [cs] remove unnecesary variables and if conditions (@TomasVotruba, @lchrusciel)
- #10116 Allow nullable shop billing data (@Zales0123, @pamil)
- #10197 [CoreBundle] oauth user provider fix (@kboduch)
- #10205 [Docs] Remove misleading channel context docs (@Zales0123)
- #10211 [Docs] Plugins section update (@CoderMaggie)
- #10213 Fix product form submit (@kulczy)
- #10214 Add behat/transliterator library (@mkalkowski83)
- #10215 Fix Sylius Grid on smaller screens (@kulczy)
- #10220 [Docs] Refresh the BDD guide (@pamil)
- #10221 [Docs] Refresh "Installation" section of the book (@pamil)
- #10222 [Docs] Refresh "Contributing code" section (@pamil, @CoderMaggie)
- #10230 [Docs] Roadmap Link (@CoderMaggie)
- #10231 [Docs] Core Team (@CoderMaggie)
- #10232 Make PR template great again (@Zales0123)
- #10237 Fixing incorrect location in documentation for turning off admin norifications (@officialbalazs)
- #10239 [Resource] [Grid] deprecation warning fixed for deprecated Resource drivers (@doctorx32)
- #10242 Fix variant without options values generation (@Tomanhez)
- #10243 Taxonomy tree modified - 'go level up' moved to the end of tree (@AdamKasp)
- #10246 [Phpspec] Add missing specs on customer core model (@loic425)
- #10247 Non consistent file names (@AdamKasp)
- #10254 Fix assertion's message for ProductOptionValueCollectionType (@diimpp)
- #10255 [HotFix] Conflict with Twig 2.7.3 that breaks themes bundle (@Zales0123)
- #10256 Revert "[HotFix] Conflict with Twig 2.7.3 that breaks themes bundle" (@pamil)
- #10259 [BuildFix] Ignore psalm annotations (@Zales0123)
- #10263 Fix a grammar mistake (@romankosiuh)
- #10264 Added a missing word (@romankosiuh)
- #10265 Add plugin-feature docs style (@kulczy)
- #10270 Update installation.rst (@GCalmels)
- #10278 Travis with mySQL 5.7 + product sorting fix (@Zales0123, @laSyntez)
- #10280 [Travis] Update mysql version to speed up builds (@Zales0123)
- #10126 [Docs] Change base dir for override config resources (@oallain)
- #10147 Remove flush() call, its done in the remover itself (@stefandoorn)
- #10156 Fix recent Composer deprecations (@pamil)
- #10157 Update to PHPUnit ^7.0 (@pamil)
- #10162 Change branches in Sylius PR template to supported ones (@Zales0123)
- #10164 Scaling text input field to keep enough room for the buttons (@4c0n)
- #10167 Cart flow documented (@bartoszpietrzak1994)
- #10169 Don't fail on billing or shipping address not set ver.2 (@DmitriyTrt, @Zales0123)
- #10171 Improve release process docs (@pamil)
- #10175 [Docs] Reverse parts in Custom Translatable Model (@xElysioN)
- #10182 Extract FixturesBundle (@pamil)
- #10184 Extract ThemeBundle (@pamil)
- #10185 Add Sylius demo link (@kulczy)
- #10186 Improve shop billing data edit scenario (@Zales0123)
- #10188 Extract Registry component (@pamil)
- PHP 7.3 support (#9914)
- Don't miss the v1.4.0-BETA.1's changelog below 🎉
- #9914 Include PHP 7.3 in the build (@pamil)
- #10112 [Documentation] Update Sylius config path (@jelen07)
- #10113 Require stable FOB/SymfonyExtension v2 (@pamil)
- #10117 Upgrade guide from
v1.3.Xtov1.4.0(@Zales0123) - #10118 [Product Review] fixed review validation when edited by admin (@kboduch)
- #10119 Using channel code in shipping method configuration (@nedac-sorbo)
- #10128 Syntax error in documentation (@hatem20)
- #10130 Upgrade guide from v1.2.x to v1.4.0 (@Zales0123)
- #10132 Add missing Length constraint on product translation slug (@venyii)
- #10135 Move bundle registration from Kernel class to "bundles.php" (@pamil)
- #10136 [HotFix] 500 on taxons list error fix (, @Zales0123)
- #10140 Use phpspec 5.0 in packages (@pamil)
- #10141 [1.1] Fix select attributes according to recent Symfony form changes (@Zales0123)
- #10145 Make build passing for TaxonomyBundle (@pamil)
- Switched the default password hashing algorithm to
argon2i(#10008, #10080, #10084) - Changed dotenv files handling as according to Symfony's policy (#10089)
- Upgraded Behat infrastructure to use FriendsOfBehat\SymfonyExtension v2 (#10102)
- #9677 Deprecate passing container to ORMTranslatableListener (@kayneth)
- #9794 [CoreBundle] First address in the address book should be made default (@kayneth)
- #9917 Improve taxon fixtures with translations (@loic425)
- #9962 Added tax category in shipping method fixture (@mamazu)
- #9962 Deprecated not passing shipping category repository to shipping method fixture (@mamazu)
- #9964 Making templates deprecated (@mamazu)
- #9983 Fix #9899 (main taxon autocomplete drop down now contain full taxon name - with all parents) (@igormukhingmailcom)
- #10008 ShopUser class is now EncoderAware to provide more flexibility for ch… ()
- #10046 Enable strict validation for email (@fendrychl)
- #10062 Make possible to autowire services generated by ResourceBundle (@pamil)
- #10067 Add support for Symfony 4.2 (@pamil)
- #10079 [Channel] Shop billing data (@Zales0123)
- #10080 Password hashing - multiple encoders support (@pamil)
- #10084 Password hashing - update encoder on login (@pamil)
- #10089 Switch to Symfony's dotenv file handling (@pamil)
- #10090 Switch to DoctrineMigrationsBundle 2.0 (@Zales0123)
- #10091 Create aliases for named Sylius services (@pamil)
- #10102 Use FriendsOfBehat\SymfonyExtension v2 (@pamil)