CVE-2018-19789: Unrestricted Upload of File with Dangerous Type

December 18, 2018 (updated May 10, 2019)

When using the scalar type hint string in a setter method (e.g. setName(string $name)) of a class that’s the data_class of a form, and when a file upload is submitted to the corresponding field instead of a normal text input, then UploadedFile::__toString() is called which will then return and disclose the path of the uploaded file. If combined with a local file inclusion issue in certain circumstances this could escalate it to a Remote Code Execution.

References

symfony.com/cve-2018-19789

Code Behaviors & Features

Detect and mitigate CVE-2018-19789 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →