Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.
The security issue happens when all these conditions are met:
The sandbox is disabled globally;
The sandbox is enabled via a sandboxed include() function which references a template name (like included.twig) and not a Template or TemplateWrapper instance;
The included template has been loaded before the include() call but in a non-sandbox context (possible as the sandbox has been globally disabled).
Resolution
The patch ensures that the sandbox security checks are always run at runtime.
Credits
We would like to thank Fabien Potencier for reporting and fixing the issue.
Release Notes
twigphp/Twig (twig/twig)
### [`v3.11.1`](https://redirect.github.com/twigphp/Twig/compare/v3.11.0...v3.11.1)
[Compare Source](https://redirect.github.com/twigphp/Twig/compare/v3.11.0...v3.11.1)
### [`v3.11.0`](https://redirect.github.com/twigphp/Twig/blob/HEAD/CHANGELOG#3110-2024-08-08)
[Compare Source](https://redirect.github.com/twigphp/Twig/compare/v3.10.3...v3.11.0)
- Add `Twig\Cache\ChainCache` and `Twig\Cache\ReadOnlyFilesystemCache`
- Add the possibility to deprecate attributes and nodes on `Node`
- Add the possibility to add a package and a version to the `deprecated` tag
- Add the possibility to add a package for filter/function/test deprecations
- Mark `ConstantExpression` as being `@final`
- Add the `find` filter
- Fix optimizer mode validation in `OptimizerNodeVisitor`
- Add the possibility to yield from a generator in `PrintNode`
- Add the `shuffle` filter
- Add the `singular` and `plural` filters in `StringExtension`
- Deprecate the second argument of `Twig\Node\Expression\CallExpression::compileArguments()`
- Deprecate `Twig\ExpressionParser\parseHashExpression()` in favor of
`Twig\ExpressionParser::parseMappingExpression()`
- Deprecate `Twig\ExpressionParser\parseArrayExpression()` in favor of
`Twig\ExpressionParser::parseSequenceExpression()`
- Add `sequence` and `mapping` tests
- Deprecate `Twig\Node\Expression\NameExpression::isSimple()` and
`Twig\Node\Expression\NameExpression::isSpecial()`
### [`v3.10.3`](https://redirect.github.com/twigphp/Twig/blob/HEAD/CHANGELOG#3103-2024-05-16)
[Compare Source](https://redirect.github.com/twigphp/Twig/compare/v3.10.2...v3.10.3)
- Fix missing ; in generated code
### [`v3.10.2`](https://redirect.github.com/twigphp/Twig/blob/HEAD/CHANGELOG#3102-2024-05-14)
[Compare Source](https://redirect.github.com/twigphp/Twig/compare/v3.10.1...v3.10.2)
- Fix support for the deprecated escaper signature
### [`v3.10.1`](https://redirect.github.com/twigphp/Twig/blob/HEAD/CHANGELOG#3101-2024-05-12)
[Compare Source](https://redirect.github.com/twigphp/Twig/compare/v3.10.0...v3.10.1)
- Fix BC break on escaper extension
- Fix constant return type
### [`v3.10.0`](https://redirect.github.com/twigphp/Twig/blob/HEAD/CHANGELOG#3100-2024-05-11)
[Compare Source](https://redirect.github.com/twigphp/Twig/compare/v3.9.3...v3.10.0)
- Make `CoreExtension::formatDate`, `CoreExtension::convertDate`, and
`CoreExtension::formatNumber` part of the public API
- Add `needs_charset` option for filters and functions
- Extract the escaping logic from the `EscaperExtension` class to a new
`EscaperRuntime` class.
The following methods from `Twig\\Extension\\EscaperExtension` are
deprecated: `setEscaper()`, `getEscapers()`, `setSafeClasses`,
`addSafeClasses()`. Use the same methods on the
`Twig\\Runtime\\EscaperRuntime` class instead.
- Fix capturing output from extensions that still use echo
- Fix a PHP warning in the Lexer on malformed templates
- Fix blocks not available under some circumstances
- Synchronize source context in templates when setting a Node on a Node
Configuration
📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
^3.8.0
->^3.11.1
GitHub Vulnerability Alerts
CVE-2024-45411
Description
Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.
The security issue happens when all these conditions are met:
include()
function which references a template name (likeincluded.twig
) and not aTemplate
orTemplateWrapper
instance;include()
call but in a non-sandbox context (possible as the sandbox has been globally disabled).Resolution
The patch ensures that the sandbox security checks are always run at runtime.
Credits
We would like to thank Fabien Potencier for reporting and fixing the issue.
Release Notes
twigphp/Twig (twig/twig)
### [`v3.11.1`](https://redirect.github.com/twigphp/Twig/compare/v3.11.0...v3.11.1) [Compare Source](https://redirect.github.com/twigphp/Twig/compare/v3.11.0...v3.11.1) ### [`v3.11.0`](https://redirect.github.com/twigphp/Twig/blob/HEAD/CHANGELOG#3110-2024-08-08) [Compare Source](https://redirect.github.com/twigphp/Twig/compare/v3.10.3...v3.11.0) - Add `Twig\Cache\ChainCache` and `Twig\Cache\ReadOnlyFilesystemCache` - Add the possibility to deprecate attributes and nodes on `Node` - Add the possibility to add a package and a version to the `deprecated` tag - Add the possibility to add a package for filter/function/test deprecations - Mark `ConstantExpression` as being `@final` - Add the `find` filter - Fix optimizer mode validation in `OptimizerNodeVisitor` - Add the possibility to yield from a generator in `PrintNode` - Add the `shuffle` filter - Add the `singular` and `plural` filters in `StringExtension` - Deprecate the second argument of `Twig\Node\Expression\CallExpression::compileArguments()` - Deprecate `Twig\ExpressionParser\parseHashExpression()` in favor of `Twig\ExpressionParser::parseMappingExpression()` - Deprecate `Twig\ExpressionParser\parseArrayExpression()` in favor of `Twig\ExpressionParser::parseSequenceExpression()` - Add `sequence` and `mapping` tests - Deprecate `Twig\Node\Expression\NameExpression::isSimple()` and `Twig\Node\Expression\NameExpression::isSpecial()` ### [`v3.10.3`](https://redirect.github.com/twigphp/Twig/blob/HEAD/CHANGELOG#3103-2024-05-16) [Compare Source](https://redirect.github.com/twigphp/Twig/compare/v3.10.2...v3.10.3) - Fix missing ; in generated code ### [`v3.10.2`](https://redirect.github.com/twigphp/Twig/blob/HEAD/CHANGELOG#3102-2024-05-14) [Compare Source](https://redirect.github.com/twigphp/Twig/compare/v3.10.1...v3.10.2) - Fix support for the deprecated escaper signature ### [`v3.10.1`](https://redirect.github.com/twigphp/Twig/blob/HEAD/CHANGELOG#3101-2024-05-12) [Compare Source](https://redirect.github.com/twigphp/Twig/compare/v3.10.0...v3.10.1) - Fix BC break on escaper extension - Fix constant return type ### [`v3.10.0`](https://redirect.github.com/twigphp/Twig/blob/HEAD/CHANGELOG#3100-2024-05-11) [Compare Source](https://redirect.github.com/twigphp/Twig/compare/v3.9.3...v3.10.0) - Make `CoreExtension::formatDate`, `CoreExtension::convertDate`, and `CoreExtension::formatNumber` part of the public API - Add `needs_charset` option for filters and functions - Extract the escaping logic from the `EscaperExtension` class to a new `EscaperRuntime` class. The following methods from `Twig\\Extension\\EscaperExtension` are deprecated: `setEscaper()`, `getEscapers()`, `setSafeClasses`, `addSafeClasses()`. Use the same methods on the `Twig\\Runtime\\EscaperRuntime` class instead. - Fix capturing output from extensions that still use echo - Fix a PHP warning in the Lexer on malformed templates - Fix blocks not available under some circumstances - Synchronize source context in templates when setting a Node on a NodeConfiguration
📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
Read more about the use of Renovate Bot within
ocramius/*
projects.