symfony 1.0.11 has a remote form validation bypass on case sensitive operating systems. http://trac.symfony-project.com/ticket/1617 Upgrading to 1.0.16 resolves the issue. Reproducible: Always
Is this validator supposed to be used as a security mechanism?
Well, I dont know who is expected to comment here. As nobody else did, I'm replying, but I don't have any real new information, sorry. From my reading of the upstream ticket, I'd say yes, this validator looks like a security measure (and is very likely to be the only hurdle against any attacks, as far as I can see). I could bump symfony if you beat me to, but I have no easy way to test it. Anyone around for testing? CC'ing webapps, maybe they know of any test procedures or want to take over the package. :P
Moved package to webapps herd. Bumped to 1.0.16. Unstable on all archs. Removed vulnerable versions. webapps done.
thanks, closing without glsa.