Sylius v1.5.8 Release Notes
Release Date: 2019-12-05 // over 4 years ago-
๐ป CVE-2019-16768: Internal exception message exposure in login action.
Details:
๐ป Exception messages from internal exceptions (like database exception) are wrapped by
๐\Symfony\Component\Security\Core\Exception\AuthenticationServiceException
and propagated through the system to UI.
Therefore, some internal system information may leak and be visible to the customer.๐ฒ A validation message with the exception details will be presented to the user when one will try to log into the shop.
Solution:
๐ This release patches the reported vulnerability. The
src/Sylius/Bundle/UiBundle/Resources/views/Security/_login.html.twig
file from Sylius should be overridden and{{ messages.error(last_error.message) }}
changed to{{ messages.error(last_error.messageKey) }}
.Details
- ๐ #10835 Improve deprecation message for "Sylius\Bundle\CoreBundle\Application\Kernel" (@pamil)
- ๐ #10841 [Docs] Include link to ShopApi docs to REST API Reference (@Zales0123)
- #10846 [Order] Include order unit promotion adjustments and order item promotion adjustments in order promotion total (@Tomanhez)
- ๐ #10849 Move ShopApi reference to main menu (@Zales0123)
- ๐ #10855 [Docs] Open external links in a new tab (@Zales0123)
- #10857 Change readme banner (@kulczy)
- #10880 [Promotion] Improve coupon generation validation message (@GSadee)
- ๐ #10881 Add docs banner (@kulczy)
- ๐ #10891 Update release process docs for 1.2 (@pamil)