When using the filesystem loader to load templates for which the name is a user input, it is possible to use the source or include statement to read arbitrary files from outside the templates directory when using a namespace like @somewhere/../some.file (in such a case, validation is bypassed).
Resolution
We fixed validation for such template names.
Even if the 1.x branch is not maintained anymore, a new version has been released.
Credits
We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.
Release Notes
twigphp/Twig
### [`v3.4.3`](https://togithub.com/twigphp/Twig/blob/HEAD/CHANGELOG#343-2022-09-28)
[Compare Source](https://togithub.com/twigphp/Twig/compare/v3.4.2...v3.4.3)
- Fix a security issue on filesystem loader (possibility to load a template outside a configured directory)
### [`v3.4.2`](https://togithub.com/twigphp/Twig/blob/HEAD/CHANGELOG#342-2022-08-12)
[Compare Source](https://togithub.com/twigphp/Twig/compare/v3.4.1...v3.4.2)
- Allow inherited magic method to still run with calling class
- Fix CallExpression::reflectCallable() throwing TypeError
- Fix typo in naming (currency_code)
### [`v3.4.1`](https://togithub.com/twigphp/Twig/blob/HEAD/CHANGELOG#341-2022-05-17)
[Compare Source](https://togithub.com/twigphp/Twig/compare/v3.4.0...v3.4.1)
- Fix optimizing non-public named closures
### [`v3.4.0`](https://togithub.com/twigphp/Twig/blob/HEAD/CHANGELOG#340-2022-05-22)
[Compare Source](https://togithub.com/twigphp/Twig/compare/v3.3.10...v3.4.0)
- Add support for named closures
### [`v3.3.10`](https://togithub.com/twigphp/Twig/blob/HEAD/CHANGELOG#3310-2022-04-06)
[Compare Source](https://togithub.com/twigphp/Twig/compare/v3.3.9...v3.3.10)
- Enable bytecode invalidation when auto_reload is enabled
### [`v3.3.9`](https://togithub.com/twigphp/Twig/blob/HEAD/CHANGELOG#339-2022-03-25)
[Compare Source](https://togithub.com/twigphp/Twig/compare/v3.3.8...v3.3.9)
- Fix custom escapers when using multiple Twig environments
- Add support for "constant('class', object)"
- Do not reuse internally generated variable names during parsing
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, click this checkbox.
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
3.3.8->3.4.3GitHub Vulnerability Alerts
CVE-2022-39261
Description
When using the filesystem loader to load templates for which the name is a user input, it is possible to use the
sourceorincludestatement to read arbitrary files from outside the templates directory when using a namespace like@somewhere/../some.file(in such a case, validation is bypassed).Resolution
We fixed validation for such template names.
Even if the 1.x branch is not maintained anymore, a new version has been released.
Credits
We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.
Release Notes
twigphp/Twig
### [`v3.4.3`](https://togithub.com/twigphp/Twig/blob/HEAD/CHANGELOG#343-2022-09-28) [Compare Source](https://togithub.com/twigphp/Twig/compare/v3.4.2...v3.4.3) - Fix a security issue on filesystem loader (possibility to load a template outside a configured directory) ### [`v3.4.2`](https://togithub.com/twigphp/Twig/blob/HEAD/CHANGELOG#342-2022-08-12) [Compare Source](https://togithub.com/twigphp/Twig/compare/v3.4.1...v3.4.2) - Allow inherited magic method to still run with calling class - Fix CallExpression::reflectCallable() throwing TypeError - Fix typo in naming (currency_code) ### [`v3.4.1`](https://togithub.com/twigphp/Twig/blob/HEAD/CHANGELOG#341-2022-05-17) [Compare Source](https://togithub.com/twigphp/Twig/compare/v3.4.0...v3.4.1) - Fix optimizing non-public named closures ### [`v3.4.0`](https://togithub.com/twigphp/Twig/blob/HEAD/CHANGELOG#340-2022-05-22) [Compare Source](https://togithub.com/twigphp/Twig/compare/v3.3.10...v3.4.0) - Add support for named closures ### [`v3.3.10`](https://togithub.com/twigphp/Twig/blob/HEAD/CHANGELOG#3310-2022-04-06) [Compare Source](https://togithub.com/twigphp/Twig/compare/v3.3.9...v3.3.10) - Enable bytecode invalidation when auto_reload is enabled ### [`v3.3.9`](https://togithub.com/twigphp/Twig/blob/HEAD/CHANGELOG#339-2022-03-25) [Compare Source](https://togithub.com/twigphp/Twig/compare/v3.3.8...v3.3.9) - Fix custom escapers when using multiple Twig environments - Add support for "constant('class', object)" - Do not reuse internally generated variable names during parsingConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.