Symfony security concerns and other issues

First, I’m going to point out that I do love symfony – I’m mostly happy with it, and I’m a active member of the community. I certainly appreciate the effort put in by Fabien and everyone else who’s worked on the symfony project – it’s a fantastic achievement. However, there’s a couple of things which really wind me up, and I’m concerned things aren’t going to change.

One thing that’s been pointed out several times in the past is that the symfony website is very unreliable. I personally found the hosting so unstable I setup a SVN mirror – and there’s been requests for an offical symfony mirror. This request however went unanswered. Does it matter if the symfony site goes down? Personally I think it matters, both for Sensio and for symfony. If Sensio can’t keep the symfony site itself running, doesn’t that set a bad image for the project? It also sets a really bad image for Sensio themselves – if they can’t maintain a site’s uptime – would you want to use them for consultancy for your own projects?

My other main concern is the way security is handled. Today I noticed that Ticket #1617 had been closed in SVN logs. This security issue has been open for a year! Also, I reported this issue over 2 years ago. There was no ‘official’ security advisory made about this – nor other issues that have occurred.

In my opinion, mentioning these security issues just in the revision log, or the blog is not enough. There should be mails to the dev/user list – and a security procedure in place to handle issues. In the past someone has come onto IRC and was concerned that a security issue they reported about bypassing validation using different HTTP verbs via email to Fabien personally was being ignored. I’m sure Fabien is a busy man, but the symfony website needs to have how these things are handled documented. I can’t remember the outcome of this issue, and google didn’t tell me much – maybe it was a non-issue, but if it wasn’t – no security advisory was released.

Other security issues have been discussed, such as the security of _dev.php files, and the default permissions. These issues haven’t really been addressed in my opinion – and both are what I would consider critical issues.

I accept that symfony is an open source project, and that we could fix these issues amongst the community – but I feel Sensio have an important role to place in this. Sensio understandably keep a very tight grip on the project, but in doing so they take on certain responsibilities. I would like to see more active discussion of security related issues on the dev list – with more involved responses from Sensio. I’d like to see an announce mailing list where security and release information is published. I’d like to see current security issues highlighted and made VERY clear on the main website.

I’d like a security reporting system documented and clearly linked from the ticketing system, so there’s a clear channel to report security concerns, knowing they will be dealt with.

9 thoughts on “Symfony security concerns and other issues”

  1. I think we should discuss these issues on the dev mailing list. In fact, I think you should repost a most constructive version of this post to the mailing list.

    Also, we do have weekly blog posts that show the changes, and if people have security concerns it is there responsibility to bring the issues up in the mailing list.

    I do agree the symfony-project.com has had issues, but they are not issues with the framework its self, but rather server/network issues. I do agree we should have a static mirror available.

  2. Wow, I did not imagine problems like that could exist in the framework. I totally agree with you there must be a system where people could find this usefull information.

    (btw, i’ m gonna patch right now some sites where that could be a completely dissaster )

    Thanks.

  3. You’re right that this should be brought up on the mailing list – but some of these issues already have.

    I’ll admit I’m playing the devil’s advocate, but I really do think it’s important that these issues are handled.

    I don’t think the mailing list is the right place for all security issues, but the right place for discussing where the right place to discuss it is!

    There are 100s (1000s probably) of sites out there that run symfony – I run a few – and the uptime of those is very good. However when it comes to the main symfony website – it’s very important for the image of symfony that it’s up. It doesn’t matter if its down due to symfony, or a disk failure – 24/7 monitoring should be in place making sure that we’re not being let down by the site.

  4. We had problems with the symfony project hosting in the past and we switched to another hosting company some time ago to provide a better service to the community (http://www.symfony-project.org/blog/2007/10/15/good-bye-azur-welcome-hippocampe). So, now we do have 24/7 monitoring in place. The reliability problems we had during the last 4 weeks were quite tricky to identify and solve. But the good news is that they have been solved last week and now that the server is stable, we will definitely post something on the blog to explain the issue. I think the reliability problem is now behind us.

    As far as security or major problems are concerned, I’m with you. We need to be better organized and we really need more people to be involved in the core team. People like Dustin, Fabian, or Carl already do a tremendous amount of work with ticket qualification, bug fixing, patchs, new features implementation, … but we need more.

    On a side note, you have write access to the whole symfony repository, so feel free to fix such issues by yourself. Ticket #1617 has been fixed yesterday and Gregoire is going to release symfony 1.0.16 today with some explanation on the issue.

    So, now, let’s start a discussion on the dev mailing-list to improve the way the symfony community works.

  5. The site has been up and down for me plenty this week and last. I thought it was a dodgy DNS at work – it seemed to work at home more – so glad it’s not just me.

    FWIW, a security portal or part of the project that specifically looks after security is a good idea. This could be Sensio, or they may be happy to farm it out to trusted members of the community (as you say, they are probably busy, so this might require volunteers).

  6. I’m a fan of the framework too, but they really need to get some hardened security guys in the team. Most open source seems to lack this and I think it would clamp down the shocking amount of vulnerabilities there are.

  7. I think this post should be reviewed since Symfony 1.2 and newer versions are now better organized to take care of security issues.

Leave a Reply

Your email address will not be published. Required fields are marked *