VYPR
← All advisories
High severityNVD Advisory· Published Jun 2, 2014· Updated May 6, 2026

CVE-2013-1348

CVE-2013-1348

Description

The Yaml::parse function in Symfony 2.0.x before 2.0.22 remote attackers to execute arbitrary PHP code via a PHP file, a different vulnerability than CVE-2013-1397.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
symfony/symfonyPackagist
>= 2.0.0, < 2.0.222.0.22
symfony/yamlPackagist
>= 2.0.0, < 2.0.222.0.22

Affected products

22
  • Sensiolabs/Symfony22 versions
    cpe:2.3:a:sensiolabs:symfony:2.0.0:*:*:*:*:*:*:*+ 21 more
    • cpe:2.3:a:sensiolabs:symfony:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:sensiolabs:symfony:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:sensiolabs:symfony:2.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:sensiolabs:symfony:2.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:sensiolabs:symfony:2.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:sensiolabs:symfony:2.0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:sensiolabs:symfony:2.0.14:*:*:*:*:*:*:*
    • cpe:2.3:a:sensiolabs:symfony:2.0.15:*:*:*:*:*:*:*
    • cpe:2.3:a:sensiolabs:symfony:2.0.16:*:*:*:*:*:*:*
    • cpe:2.3:a:sensiolabs:symfony:2.0.17:*:*:*:*:*:*:*
    • cpe:2.3:a:sensiolabs:symfony:2.0.18:*:*:*:*:*:*:*
    • cpe:2.3:a:sensiolabs:symfony:2.0.19:*:*:*:*:*:*:*
    • cpe:2.3:a:sensiolabs:symfony:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:sensiolabs:symfony:2.0.20:*:*:*:*:*:*:*
    • cpe:2.3:a:sensiolabs:symfony:2.0.21:*:*:*:*:*:*:*
    • cpe:2.3:a:sensiolabs:symfony:2.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:sensiolabs:symfony:2.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:sensiolabs:symfony:2.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:sensiolabs:symfony:2.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:sensiolabs:symfony:2.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:sensiolabs:symfony:2.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:sensiolabs:symfony:2.0.9:*:*:*:*:*:*:*

Patches

1
ac756bf39e64

added a way to enable/disable PHP support when parsing a YAML input via Yaml::parse()

https://github.com/symfony/symfonyFabien PotencierJan 17, 2013via ghsa
commit
1 file changed · +61 12
  • src/Symfony/Component/Yaml/Yaml.php+61 12 modified
    @@ -22,6 +22,53 @@
  */
 class Yaml
 {
+    /**
+     * Be warned that PHP support will be removed in Symfony 2.3.
+     *
+     * @deprecated Deprecated since version 2.0, to be removed in 2.3.
+     */
+    static public $enablePhpParsing = true;
+
+    /**
+     * Enables PHP support when parsing YAML files.
+     *
+     * Be warned that PHP support will be removed in Symfony 2.3.
+     *
+     * @deprecated Deprecated since version 2.0, to be removed in 2.3.
+     */
+    public static function enablePhpParsing()
+    {
+        self::$enablePhpParsing = true;
+    }
+
+    /**
+     * Sets the PHP support flag when parsing YAML files.
+     *
+     * Be warned that PHP support will be removed in Symfony 2.3.
+     *
+     * @param Boolean $boolean true if PHP parsing support is enabled, false otherwise
+     *
+     * @deprecated Deprecated since version 2.0, to be removed in 2.3.
+     */
+    public static function setPhpParsing($boolean)
+    {
+        self::$enablePhpParsing = (Boolean) $boolean;
+    }
+
+    /**
+     * Checks if PHP support is enabled when parsing YAML files.
+     *
+     * Be warned that PHP support will be removed in Symfony 2.3.
+     *
+     * @return Boolean true if PHP parsing support is enabled, false otherwise
+     *
+     * @deprecated Deprecated since version 2.0, to be removed in 2.3.
+     */
+    public static function supportsPhpParsing()
+    {
+        return self::$enablePhpParsing;
+    }
+
     /**
      * Parses YAML into a PHP array.
      *
@@ -44,27 +91,29 @@ class Yaml
      */
     public static function parse($input)
     {
-        $file = '';
-
         // if input is a file, process it
+        $file = '';
         if (strpos($input, "\n") === false && is_file($input)) {
             if (false === is_readable($input)) {
                 throw new ParseException(sprintf('Unable to parse "%s" as the file is not readable.', $input));
             }
 
             $file = $input;
+            if (self::$enablePhpParsing) {
+                ob_start();
+                $retval = include($file);
+                $content = ob_get_clean();
 
-            ob_start();
-            $retval = include($input);
-            $content = ob_get_clean();
-
-            // if an array is returned by the config file assume it's in plain php form else in YAML
-            $input = is_array($retval) ? $retval : $content;
-        }
+                // if an array is returned by the config file assume it's in plain php form else in YAML
+                $input = is_array($retval) ? $retval : $content;
 
-        // if an array is returned by the config file assume it's in plain php form else in YAML
-        if (is_array($input)) {
-            return $input;
+                // if an array is returned by the config file assume it's in plain php form else in YAML
+                if (is_array($input)) {
+                    return $input;
+                }
+            } else {
+                $input = file_get_contents($file);
+            }
         }
 
         $yaml = new Parser();

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

11

News mentions

0

No linked articles in our index yet.