Update dependency twig/twig to v3.11.2 [SECURITY] #217
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.7.1
->3.11.2
Twig has a possible sandbox bypass
CVE-2024-45411 / GHSA-6j75-5wfj-gh66
More information
Details
Description
Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.
The security issue happens when all these conditions are met:
include()
function which references a template name (likeincluded.twig
) and not aTemplate
orTemplateWrapper
instance;include()
call but in a non-sandbox context (possible as the sandbox has been globally disabled).Resolution
The patch ensures that the sandbox security checks are always run at runtime.
Credits
We would like to thank Fabien Potencier for reporting and fixing the issue.
Severity
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Twig has unguarded calls to
__toString()
when nesting an object into an arrayCVE-2024-51754 / GHSA-6377-hfv9-hqf6
More information
Details
Description
In a sandbox, an attacker can call
__toString()
on an object even if the__toString()
method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance).Resolution
The sandbox mode now checks the
__toString()
method call on all objects.The patch for this issue is available here for the 3.11.x branch, and here for the 3.x branch.
Credits
We would like to thank Jamie Schouten for reporting the issue and Fabien Potencier for providing the fix.
Severity
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Twig has unguarded calls to
__isset()
and to array-accesses when the sandbox is enabledCVE-2024-51755 / GHSA-jjxq-ff2g-95vh
More information
Details
Description
In a sandbox, and attacker can access attributes of Array-like objects as they were not checked by the security policy.
They are now checked via the property policy and the
__isset()
method is now called after the security check.This is a BC break.
Resolution
The sandbox mode now ensures access to array-like's properties is allowed.
The patch for this issue is available here for the 3.11.x branch, and here for the 3.x branch.
Credits
We would like to thank Jamie Schouten for reporting the issue and Nicolas Grekas for providing the fix.
Severity
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
twigphp/Twig (twig/twig)
v3.11.2
Compare Source
They are now checked via the property policy
toString()
under some circumstances on an object even if the
__toString()
method is not allowed by the security policyv3.11.1
Compare Source
v3.11.0
Compare Source
OptimizerNodeVisitor::OPTIMIZE_RAW_FILTER
Twig\Cache\ChainCache
andTwig\Cache\ReadOnlyFilesystemCache
Node
deprecated
tagConstantExpression
as being@final
find
filterOptimizerNodeVisitor
PrintNode
shuffle
filtersingular
andplural
filters inStringExtension
Twig\Node\Expression\CallExpression::compileArguments()
Twig\ExpressionParser\parseHashExpression()
in favor ofTwig\ExpressionParser::parseMappingExpression()
Twig\ExpressionParser\parseArrayExpression()
in favor ofTwig\ExpressionParser::parseSequenceExpression()
sequence
andmapping
testsTwig\Node\Expression\NameExpression::isSimple()
andTwig\Node\Expression\NameExpression::isSpecial()
v3.10.3
Compare Source
v3.10.2
Compare Source
v3.10.1
Compare Source
v3.10.0
Compare Source
Make
CoreExtension::formatDate
,CoreExtension::convertDate
, andCoreExtension::formatNumber
part of the public APIAdd
needs_charset
option for filters and functionsExtract the escaping logic from the
EscaperExtension
class to a newEscaperRuntime
class.The following methods from
Twig\\Extension\\EscaperExtension
aredeprecated:
setEscaper()
,getEscapers()
,setSafeClasses
,addSafeClasses()
. Use the same methods on theTwig\\Runtime\\EscaperRuntime
class instead.Fix capturing output from extensions that still use echo
Fix a PHP warning in the Lexer on malformed templates
Fix blocks not available under some circumstances
Synchronize source context in templates when setting a Node on a Node
v3.9.3
Compare Source
twig_escape_filter_is_safe
deprecated functionv3.9.2
Compare Source
v3.9.1
Compare Source
$blocks
variable inCaptureNode
v3.9.0
Compare Source
Node implementations that use "echo" or "print" should use "yield" instead;
all Node implementations should be flagged with
#[YieldReady]
once they've been made ready for "yield";the "use_yield" Environment option can be turned on when all nodes have been made
#[YieldReady]
;"yield" will be the only strategy supported in the next major version
v3.8.0
Compare Source
twig_test_iterable
function. Use the nativeis_iterable
instead.Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Amsterdam, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.