Headline
GHSA-qhjc-hg94-245v: eZ Platform Prevent accepting app.php in URL in Platform.sh
The recommended rewrite rules in eZ Platform prevent users from including the front-controller script (normally “app.php”) in URLs. This prevents certain vulnerabilities related to caching. However, this is not possible when using eZ Platform Cloud (i.e. running eZ Platform on the Platform.sh cloud service), nor can it be done within the .platform.app.yaml configuration file. Therefore we need to reject such requests in the application itself. This advisory adds the prevention within the front controller script itself.
If you use eZ Platform Cloud / Platform.sh we recommend that you install this security update as soon as possible. It is distributed via Composer as ezsystems/ezplatform 1.7.9.1, and 1.13.5.1, and 2.5.4. This is the commit: https://github.com/ezsystems/ezplatform/commit/34ce86722b36a172e587068fe64a84faa7320cc2
Skip to content
Navigation Menu
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-qhjc-hg94-245v
eZ Platform Prevent accepting app.php in URL in Platform.sh
Moderate severity GitHub Reviewed Published May 15, 2024 to the GitHub Advisory Database • Updated May 15, 2024
Package
composer ezsystems/ezplatform (Composer)
Affected versions
>= 2.5.0, < 2.5.4
>= 1.13.0, < 1.13.5.1
>= 1.7.0, < 1.7.9.1
Patched versions
2.5.4
1.13.5.1
1.7.9.1
Description
Published to the GitHub Advisory Database
May 15, 2024
Last updated
May 15, 2024