From 44ae8844e761dba9997f79036de1bf75a8e7e75e Mon Sep 17 00:00:00 2001
From: catch <6915-catch@users.noreply.drupalcode.org>
Date: Wed, 11 Sep 2024 09:46:02 +0100
Subject: [PATCH] Issue #3473195 by longwave, catch, jurgenhaas, naveenvalecha,
quietone: twig/twig has a possible sandbox bypass <v3.14.0
---
composer.lock | 19 +++++++++----------
.../Metapackage/CoreRecommended/composer.json | 2 +-
core/.deprecation-ignore.txt | 11 ++++++++++-
core/composer.json | 2 +-
.../src/Kernel/Theme/TwigIncludeTest.php | 2 +-
5 files changed, 22 insertions(+), 14 deletions(-)
diff --git a/composer.lock b/composer.lock
index cb8d4787afc6..28cc52047821 100644
--- a/composer.lock
+++ b/composer.lock
@@ -496,7 +496,7 @@
"dist": {
"type": "path",
"url": "core",
- "reference": "f8027006bc6ac7d9ff990897dc7a2c7f4db5b67a"
+ "reference": "946773df28ad729a17c4002a6b5740a746b6deb5"
},
"require": {
"asm89/stack-cors": "^2.1",
@@ -543,7 +543,7 @@
"symfony/serializer": "^7.1",
"symfony/validator": "^7.1",
"symfony/yaml": "^7.1",
- "twig/twig": "^3.11.0"
+ "twig/twig": "^3.14.0"
},
"conflict": {
"drush/drush": "<12.4.3"
@@ -4266,24 +4266,23 @@
},
{
"name": "twig/twig",
- "version": "v3.11.0",
+ "version": "v3.14.0",
"source": {
"type": "git",
"url": "https://github.com/twigphp/Twig.git",
- "reference": "e80fb8ebba85c7341a97a9ebf825d7fd4b77708d"
+ "reference": "126b2c97818dbff0cdf3fbfc881aedb3d40aae72"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/twigphp/Twig/zipball/e80fb8ebba85c7341a97a9ebf825d7fd4b77708d",
- "reference": "e80fb8ebba85c7341a97a9ebf825d7fd4b77708d",
+ "url": "https://api.github.com/repos/twigphp/Twig/zipball/126b2c97818dbff0cdf3fbfc881aedb3d40aae72",
+ "reference": "126b2c97818dbff0cdf3fbfc881aedb3d40aae72",
"shasum": ""
},
"require": {
- "php": ">=7.2.5",
+ "php": ">=8.0.2",
"symfony/deprecation-contracts": "^2.5|^3",
"symfony/polyfill-ctype": "^1.8",
"symfony/polyfill-mbstring": "^1.3",
- "symfony/polyfill-php80": "^1.22",
"symfony/polyfill-php81": "^1.29"
},
"require-dev": {
@@ -4330,7 +4329,7 @@
],
"support": {
"issues": "https://github.com/twigphp/Twig/issues",
- "source": "https://github.com/twigphp/Twig/tree/v3.11.0"
+ "source": "https://github.com/twigphp/Twig/tree/v3.14.0"
},
"funding": [
{
@@ -4342,7 +4341,7 @@
"type": "tidelift"
}
],
- "time": "2024-08-08T16:15:16+00:00"
+ "time": "2024-09-09T17:55:12+00:00"
}
],
"packages-dev": [
diff --git a/composer/Metapackage/CoreRecommended/composer.json b/composer/Metapackage/CoreRecommended/composer.json
index 10c08172af0d..8bb4066c6a40 100644
--- a/composer/Metapackage/CoreRecommended/composer.json
+++ b/composer/Metapackage/CoreRecommended/composer.json
@@ -60,6 +60,6 @@
"symfony/var-dumper": "~v7.1.3",
"symfony/var-exporter": "~v7.1.2",
"symfony/yaml": "~v7.1.1",
- "twig/twig": "~v3.11.0"
+ "twig/twig": "~v3.14.0"
}
}
diff --git a/core/.deprecation-ignore.txt b/core/.deprecation-ignore.txt
index 421433ea1ebd..59371268914b 100644
--- a/core/.deprecation-ignore.txt
+++ b/core/.deprecation-ignore.txt
@@ -27,5 +27,14 @@
# PHPUnit 10.
%The "PHPUnit\\Framework\\TestCase::__construct\(\)" method is considered internal.*You should not extend it from "Drupal\\[^"]+"%
-# Twig 3.11.0
+# Twig 3.
%Since twig/twig 3.11: Changing the value of a "filter" node in a NodeVisitor class is not supported anymore.%
+%Since twig/twig 3.12: Not passing an instance of "TwigFunction" when creating a "attach_library" function of type "Twig\\Node\\Expression\\FunctionExpression" is deprecated.%
+%Since twig/twig 3.12: Not passing an instance of "TwigFunction" when creating a "add_component_context" function of type "Twig\\Node\\Expression\\FunctionExpression" is deprecated.%
+%Since twig/twig 3.12: Not passing an instance of "TwigFunction" when creating a "render_var" function of type "Twig\\Node\\Expression\\FunctionExpression" is deprecated.%
+%Since twig/twig 3.12: Not passing an instance of "TwigFunction" when creating a "validate_component_props" function of type "Twig\\Node\\Expression\\FunctionExpression" is deprecated.%
+%Since twig/twig 3.12: Getting node "filter" on a "Twig\\Node\\Expression\\FilterExpression" class is deprecated.%
+%Since twig/twig 3.12: Getting node "filter" on a "Twig\\Node\\Expression\\Filter\\DefaultFilter" class is deprecated.%
+%Since twig/twig 3.12: Getting node "filter" on a "Twig\\Node\\Expression\\Filter\\RawFilter" class is deprecated.%
+%Since twig/twig 3.12: The "tag" constructor argument of the "Drupal\\Core\\Template\\TwigNodeTrans" class is deprecated and ignored%
+%Since twig/twig 3.12: Twig Filter "spaceless" is deprecated%
diff --git a/core/composer.json b/core/composer.json
index 19c97f26b13d..35eb5464ecd9 100644
--- a/core/composer.json
+++ b/core/composer.json
@@ -34,7 +34,7 @@
"symfony/process": "^7.1",
"symfony/polyfill-iconv": "^1.26",
"symfony/yaml": "^7.1",
- "twig/twig": "^3.11.0",
+ "twig/twig": "^3.14.0",
"doctrine/annotations": "^2.0",
"doctrine/lexer": "^2.0",
"guzzlehttp/guzzle": "^7.5",
diff --git a/core/modules/system/tests/src/Kernel/Theme/TwigIncludeTest.php b/core/modules/system/tests/src/Kernel/Theme/TwigIncludeTest.php
index 7b79fe1a0af8..711a008eafa3 100644
--- a/core/modules/system/tests/src/Kernel/Theme/TwigIncludeTest.php
+++ b/core/modules/system/tests/src/Kernel/Theme/TwigIncludeTest.php
@@ -47,7 +47,7 @@ public function testTemplateInclusion(): void {
$element = [];
$element['test'] = [
'#type' => 'inline_template',
- '#template' => "{% include '@__main__\/core/tests/fixtures/files/sql-2.sql' %}",
+ '#template' => "{% include '@__main__/core/tests/fixtures/files/sql-2.sql' %}",
];
try {
$renderer->renderRoot($element);
--
GitLab