Latest News

### Description The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. ### Resolution The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/ The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819) for branch 5.4. ### Credits We would like to thank Sam Mush for reporting the issue and Nicolas Grekas for providing the fix.

### Description It is possible to trick a `Validator` configured with a regular expression using the `$` metacharacters, with an input ending with `\n`. ### Resolution Symfony now uses the `D` regex modifier to match the entire input. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/7d1032bbead9a4229b32fa6ebca32681c80cb76f) for branch 5.4. ### Credits We would like to thank Offscript for reporting the issue and Alexandre Daubois for providing the fix.

### Description When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. ### Resolution The `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b) for branch 5.4. ### Credits We would like to thank Linus Karlsson for reporting the issue and Nicolas Grekas for providing the fix.

### Description The custom `user_checker` defined on a firewall is not called when Login Programmaticaly with the `Security::login` method, leading to unwanted login. ### Resolution The `Security::login` method now ensure to call the configured `user_checker`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/22a0789a0085c3ee96f4ef715ecad8255cf0e105) for branch 6.4. ### Credits We would like to thank Oleg Andreyev, Antoine MAKDESSI for reporting the issue and Christian Flothmann for providing the fix.

### Description When the `register_argc_argv` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. ### Resolution The `SymfonyRuntime` now ignores the `argv` values for non-cli SAPIs PHP runtimes The patch for this issue is available [here](https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa) for branch 5.4. ### Credits We would like to thank Vladimir Dusheyko for reporting the issue and Wouter de Jong for providing the fix.

In a time of increasingly sophisticated cross-domain attacks, relying solely on automated solutions isn't enough.

Cybersecurity researchers are warning that a command-and-control (C&C) framework called Winos is being distributed within gaming-related applications like installation tools, speed boosters, and optimization utilities. "Winos 4.0 is an advanced malicious framework that offers comprehensive functionality, a stable architecture, and efficient control over numerous online endpoints to execute

Small businesses have the same security problems as big corporations, but not the budget or staff to match. Here are some tips to help.

Small businesses have the same security problems as big corporations, but not the budget or staff to match. Here are some tips to help.

When it comes to landing a job in cybersecurity, what does it take to stand out from the pack? Try playing games.