Affected versions
Symfony versions <5.4.50, >=6, <6.4.29, >=7, <7.3.7 of the Symfony HTTP Foundation component are affected by this security issue.
The issue has been fixed in Symfony 5.4.50, 6.4.29, and 7.3.7.
Description
The Request class improperly interprets some PATH_INFO in a way that leads to representing some URLs with a path that doesn't start with a /. This can allow bypassing some access control rules that are built with this /-prefix assumption.
Resolution
The Request class now ensures that URL paths always start with a /.
The patch for this issue is available here for branch 5.4.
Credits
We would like to thank Andrew Atkinson for discovering the issue, Chris Smith for reporting it and Nicolas Grekas for providing the fix.
Sponsor the Symfony project.