Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix
Description
Symfony\Component\Cache\Adapter\PdoAdapter is the PDO-backed cache adapter. Its clear($prefix) method (inherited from AbstractAdapterTrait) is documented to delete cache items whose key starts with $prefix.
In the non-versioning code path, the caller-supplied $prefix is concatenated into $namespace = $this->namespace.$prefix and passed to PdoAdapter::doClear(), which builds:
DELETE FROM WHERE LIKE '%'The value is interpolated directly into the SQL text and executed with PDO::exec(): $namespace is not bound. A caller able to influence $prefix can break out of the literal and inject SQL, expanding deletion scope from the intended prefix to arbitrary rows, or otherwise reshape query semantics.
Most applications don't expose clear($prefix) to untrusted input directly, but the contract of the method is to safely accept any prefix string, so the lack of escaping is a defect of the adapter itself.
Resolution
AbstractAdapterTrait::clear() now rejects any $prefix containing characters outside [-+.A-Za-z0-9]: when an invalid prefix is supplied, the method logs a warning and returns false instead of reaching the SQL layer. This blocks quotes, %, null bytes and other characters that would let an attacker break out of the LIKE literal.
The patch for this issue is available here for branch 5.4.