From 83a80f66982d40ea7cb83f57f7a1519b3eb32c60 Mon Sep 17 00:00:00 2001
From: catch <6915-catch@users.noreply.drupalcode.org>
Date: Wed, 11 Sep 2024 10:09:44 +0100
Subject: [PATCH] Issue #3473195 by longwave, catch, jurgenhaas, naveenvalecha,
quietone: twig/twig has a possible sandbox bypass <v3.14.0
---
composer.lock | 20 +++++++++----------
.../Metapackage/CoreRecommended/composer.json | 2 +-
core/.deprecation-ignore.txt | 12 +++++++++++
core/composer.json | 2 +-
.../src/Kernel/Theme/TwigIncludeTest.php | 2 +-
.../Core/Theme/TwigEnvironmentTest.php | 12 -----------
6 files changed, 25 insertions(+), 25 deletions(-)
diff --git a/composer.lock b/composer.lock
index 849795ae4866..9b5dfd849e13 100644
--- a/composer.lock
+++ b/composer.lock
@@ -495,7 +495,7 @@
"dist": {
"type": "path",
"url": "core",
- "reference": "b8ae3e330a6035450fa1578a5d2d30388cb98314"
+ "reference": "a8c2361f7740cf546b481c01e6503ea083ad469c"
},
"require": {
"asm89/stack-cors": "^2.1",
@@ -540,7 +540,7 @@
"symfony/serializer": "^6.4",
"symfony/validator": "^6.4",
"symfony/yaml": "^6.4",
- "twig/twig": "^3.9.3"
+ "twig/twig": "^3.14.0"
},
"conflict": {
"drush/drush": "<12.4.3"
@@ -4347,24 +4347,24 @@
},
{
"name": "twig/twig",
- "version": "v3.10.2",
+ "version": "v3.14.0",
"source": {
"type": "git",
"url": "https://github.com/twigphp/Twig.git",
- "reference": "7aaed0b8311a557cc8c4047a71fd03153a00e755"
+ "reference": "126b2c97818dbff0cdf3fbfc881aedb3d40aae72"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/twigphp/Twig/zipball/7aaed0b8311a557cc8c4047a71fd03153a00e755",
- "reference": "7aaed0b8311a557cc8c4047a71fd03153a00e755",
+ "url": "https://api.github.com/repos/twigphp/Twig/zipball/126b2c97818dbff0cdf3fbfc881aedb3d40aae72",
+ "reference": "126b2c97818dbff0cdf3fbfc881aedb3d40aae72",
"shasum": ""
},
"require": {
- "php": ">=7.2.5",
+ "php": ">=8.0.2",
"symfony/deprecation-contracts": "^2.5|^3",
"symfony/polyfill-ctype": "^1.8",
"symfony/polyfill-mbstring": "^1.3",
- "symfony/polyfill-php80": "^1.22"
+ "symfony/polyfill-php81": "^1.29"
},
"require-dev": {
"psr/container": "^1.0|^2.0",
@@ -4410,7 +4410,7 @@
],
"support": {
"issues": "https://github.com/twigphp/Twig/issues",
- "source": "https://github.com/twigphp/Twig/tree/v3.10.2"
+ "source": "https://github.com/twigphp/Twig/tree/v3.14.0"
},
"funding": [
{
@@ -4422,7 +4422,7 @@
"type": "tidelift"
}
],
- "time": "2024-05-14T06:04:16+00:00"
+ "time": "2024-09-09T17:55:12+00:00"
}
],
"packages-dev": [
diff --git a/composer/Metapackage/CoreRecommended/composer.json b/composer/Metapackage/CoreRecommended/composer.json
index c589f336bced..5c7d51d74f3e 100644
--- a/composer/Metapackage/CoreRecommended/composer.json
+++ b/composer/Metapackage/CoreRecommended/composer.json
@@ -61,6 +61,6 @@
"symfony/var-dumper": "~v6.4.7",
"symfony/var-exporter": "~v6.4.7",
"symfony/yaml": "~v6.4.7",
- "twig/twig": "~v3.10.2"
+ "twig/twig": "~v3.14.0"
}
}
diff --git a/core/.deprecation-ignore.txt b/core/.deprecation-ignore.txt
index 9b307fe460d9..dbaf1dc54740 100644
--- a/core/.deprecation-ignore.txt
+++ b/core/.deprecation-ignore.txt
@@ -62,3 +62,15 @@
%The "Drupal\\Tests\\Core\\Controller\\MockContainerAware" class implements "Symfony\\Component\\DependencyInjection\\ContainerAwareInterface" that is deprecated since Symfony 6.4, use dependency injection instead.%
%The "Drupal\\Tests\\Core\\DependencyInjection\\DependencySerializationTestDummy" class implements "Symfony\\Component\\DependencyInjection\\ContainerAwareInterface" that is deprecated since Symfony 6.4, use dependency injection instead.%
%The "Drupal\\Tests\\Core\\Utility\\MockContainerAware" class implements "Symfony\\Component\\DependencyInjection\\ContainerAwareInterface" that is deprecated since Symfony 6.4, use dependency injection instead.%
+
+# Twig 3.
+%Since twig/twig 3.11: Changing the value of a "filter" node in a NodeVisitor class is not supported anymore.%
+%Since twig/twig 3.12: Not passing an instance of "TwigFunction" when creating a "attach_library" function of type "Twig\\Node\\Expression\\FunctionExpression" is deprecated.%
+%Since twig/twig 3.12: Not passing an instance of "TwigFunction" when creating a "add_component_context" function of type "Twig\\Node\\Expression\\FunctionExpression" is deprecated.%
+%Since twig/twig 3.12: Not passing an instance of "TwigFunction" when creating a "render_var" function of type "Twig\\Node\\Expression\\FunctionExpression" is deprecated.%
+%Since twig/twig 3.12: Not passing an instance of "TwigFunction" when creating a "validate_component_props" function of type "Twig\\Node\\Expression\\FunctionExpression" is deprecated.%
+%Since twig/twig 3.12: Getting node "filter" on a "Twig\\Node\\Expression\\FilterExpression" class is deprecated.%
+%Since twig/twig 3.12: Getting node "filter" on a "Twig\\Node\\Expression\\Filter\\DefaultFilter" class is deprecated.%
+%Since twig/twig 3.12: Getting node "filter" on a "Twig\\Node\\Expression\\Filter\\RawFilter" class is deprecated.%
+%Since twig/twig 3.12: The "tag" constructor argument of the "Drupal\\Core\\Template\\TwigNodeTrans" class is deprecated and ignored%
+%Since twig/twig 3.12: Twig Filter "spaceless" is deprecated%
diff --git a/core/composer.json b/core/composer.json
index c899706d59a9..7c8c1ac8b3de 100644
--- a/core/composer.json
+++ b/core/composer.json
@@ -33,7 +33,7 @@
"symfony/process": "^6.4",
"symfony/polyfill-iconv": "^1.26",
"symfony/yaml": "^6.4",
- "twig/twig": "^3.9.3",
+ "twig/twig": "^3.14.0",
"doctrine/annotations": "^1.14",
"guzzlehttp/guzzle": "^7.5",
"guzzlehttp/psr7": "^2.4.5",
diff --git a/core/modules/system/tests/src/Kernel/Theme/TwigIncludeTest.php b/core/modules/system/tests/src/Kernel/Theme/TwigIncludeTest.php
index 7b79fe1a0af8..711a008eafa3 100644
--- a/core/modules/system/tests/src/Kernel/Theme/TwigIncludeTest.php
+++ b/core/modules/system/tests/src/Kernel/Theme/TwigIncludeTest.php
@@ -47,7 +47,7 @@ public function testTemplateInclusion(): void {
$element = [];
$element['test'] = [
'#type' => 'inline_template',
- '#template' => "{% include '@__main__\/core/tests/fixtures/files/sql-2.sql' %}",
+ '#template' => "{% include '@__main__/core/tests/fixtures/files/sql-2.sql' %}",
];
try {
$renderer->renderRoot($element);
diff --git a/core/tests/Drupal/KernelTests/Core/Theme/TwigEnvironmentTest.php b/core/tests/Drupal/KernelTests/Core/Theme/TwigEnvironmentTest.php
index 638398f96224..01e6fefd1694 100644
--- a/core/tests/Drupal/KernelTests/Core/Theme/TwigEnvironmentTest.php
+++ b/core/tests/Drupal/KernelTests/Core/Theme/TwigEnvironmentTest.php
@@ -12,7 +12,6 @@
use Drupal\Core\Template\TwigPhpStorageCache;
use Drupal\KernelTests\KernelTestBase;
use Symfony\Component\DependencyInjection\Definition;
-use Twig\Environment;
use Twig\Error\LoaderError;
/**
@@ -216,17 +215,6 @@ public function testTemplateInvalidation(): void {
file_put_contents($template_file, $template_after);
$output = $environment->load(basename($template_file))->render();
$this->assertEquals($template_before, $output);
-
- $environment->invalidate();
- // Manually change $templateClassPrefix to force a different template
- // classname, as the other class is still loaded. This wouldn't be a problem
- // on a real site where you reload the page.
- $reflection = new \ReflectionClass(Environment::class);
- $property_reflection = $reflection->getProperty('templateClassPrefix');
- $property_reflection->setValue($environment, 'otherPrefix');
-
- $output = $environment->load(basename($template_file))->render();
- $this->assertEquals($template_after, $output);
}
/**
--
GitLab