From d699a2db809e64ef729f93f5ec2f820b2913a0f7 Mon Sep 17 00:00:00 2001 From: osaajani <> Date: Fri, 3 Apr 2020 21:22:13 +0200 Subject: [PATCH] Fix major security by overriding Symfony ExpressionLanguage default constant() method. The ExpressionLanguage is used by ruler for conditional group and could have been leverage to guess constants values such as db credentials --- controllers/internals/ExpressionProvider.php | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/controllers/internals/ExpressionProvider.php b/controllers/internals/ExpressionProvider.php index 7c36bae..b02f070 100644 --- a/controllers/internals/ExpressionProvider.php +++ b/controllers/internals/ExpressionProvider.php @@ -18,7 +18,17 @@ class ExpressionProvider implements ExpressionFunctionProviderInterface { public function getFunctions() { + //Override default constant() function to make it return null + //This will prevent the use of constant() func to read constants with security impact (such as session, db credentials, etc.) + $neutralized_constant = new ExpressionFunction('constant', function ($str) { + return null; + }, function ($arguments, $str) { + return null; + }); + + return [ + $neutralized_constant, ExpressionFunction::fromPhp('is_null', 'exists'), ExpressionFunction::fromPhp('mb_strtolower', 'lower'), ExpressionFunction::fromPhp('mb_strtoupper', 'upper'),