Exception message escaping in ErrorHandler for Symfony


No pandemic, earthquake or cold weather couldn't stop Infigo IS' pen testers from finding a bug in popular Symfony

Symfony, a popular set of decoupled and reusable PHP components used by many PHP applications, was leaking more information than it should have. Our resident PHP expert, Luka Sikic, made Symfony's ErrorHandler render out exception stack track information in a non-debug environment.
What does that mean? Exception handling in PHP decides how the normal flow of code execution changes when there is an error (exception); programmers use it when they want to see how the error occurred, and that is usually reserved for a debug mode in which errors are tracked and fixed. And that is all legit.
ErrorHandler class rendered stack trace (the flow of program execution) for the whole world to see, outside the debug environment. As you might assume, that is a security problem.

As Symfony has more than 48 million downloads per month so the user base is huge – affected versions were those from 4.4.0 to 4.4.3 and from 5.0.0 to 5.0.4. Luckily, the bug is fixed and all users should download the newer versions (current are 4.4.7 and 5.0.7). More about the problem you can read on the official Symfony blog.