php · symfony/ux-autocompleteHeads-up
symfony/ux-autocomplete: LIKE wildcard injection fix in EntitySearchUtil
EntitySearchUtil now escapes LIKE wildcards (% and _) and backslash in user-supplied queries, and adds an explicit ESCAPE clause to the LIKE expression.
What changed
EntitySearchUtil now escapes LIKE wildcards (% and _) and backslash in user-supplied queries, and adds an explicit ESCAPE clause to the LIKE expression.
Who it affects
Applications using symfony/ux-autocomplete with Doctrine entities that have searchable_fields and the autocomplete endpoint publicly accessible (default).
What to do today
Update symfony/ux-autocomplete to the latest patched version (2.x or 3.x) to prevent unauthenticated users from exploiting LIKE wildcards to match unintended rows or perform blind boolean oracle attacks.
The trail
Collected→
Audited→
Written→
Published