In mid-March, 2010, the Dojo Foundation issued a Security Advisory indicating potential security issues with specific files in Dojo Toolkit. Details of the advisory may be found on the Dojo website:
In particular, several files in the Dojo tree were identified as having potential exploits, and the Dojo team also advised disabling or removing any PHP scripts in the tree when deploying to production.
Since the files in question have been patched on the Dojo release branches, the only action needed was a new release that contains a new build of Dojo based on the current release branch. In addition, code was added to the Zend Framework Dojo build script to strip out all PHP files as an extra precaution.
This particular vulnerability only affects those users who:
If you fall into one of these categories, we strongly recommend upgrading to the latest available Zend Framework release, or one of the following releases, immediately, and redeploying Dojo from the Dojo packages supplied with Zend Framework:
Alternately, upgrade from official Dojo packages, following the guidelines in the aforementioned advisory from the Dojo Foundation.
The Zend Framework team thanks the following for working with us to help protect its users:
Have you identified a security vulnerability?
Please report it to us at firstname.lastname@example.org