Commit 4675459f authored by catch's avatar catch
Browse files

Issue #3473195 by longwave, catch, jurgenhaas, naveenvalecha, quietone:... 

Issue #3473195 by longwave, catch, jurgenhaas, naveenvalecha, quietone: twig/twig has a possible sandbox bypass <v3.14.0
parent 01890ba3

composer.lock

+10 −10
Original line number Diff line number Diff line
@@ -496,7 +496,7 @@ 
            "dist": {

                "type": "path",

                "url": "core",

                "reference": "7ef1db8ef53f81722f34bc38512af9c4665d9d72"

                "reference": "b70cc9a18bf7dd3f2dcbbf752473b0129bb4e655"

            },

            "require": {

                "asm89/stack-cors": "^2.1",
@@ -543,7 +543,7 @@ 
                "symfony/serializer": "^7.1",

                "symfony/validator": "^7.1",

                "symfony/yaml": "^7.1",

                "twig/twig": "^3.9.3"

                "twig/twig": "^3.14.0"

            },

            "conflict": {

                "drush/drush": "<12.4.3"
@@ -4265,24 +4265,24 @@ 
        },

        {

            "name": "twig/twig",

            "version": "v3.10.3",

            "version": "v3.14.0",

            "source": {

                "type": "git",

                "url": "https://github.com/twigphp/Twig.git",

                "reference": "67f29781ffafa520b0bbfbd8384674b42db04572"

                "reference": "126b2c97818dbff0cdf3fbfc881aedb3d40aae72"

            },

            "dist": {

                "type": "zip",

                "url": "https://api.github.com/repos/twigphp/Twig/zipball/67f29781ffafa520b0bbfbd8384674b42db04572",

                "reference": "67f29781ffafa520b0bbfbd8384674b42db04572",

                "url": "https://api.github.com/repos/twigphp/Twig/zipball/126b2c97818dbff0cdf3fbfc881aedb3d40aae72",

                "reference": "126b2c97818dbff0cdf3fbfc881aedb3d40aae72",

                "shasum": ""

            },

            "require": {

                "php": ">=7.2.5",

                "php": ">=8.0.2",

                "symfony/deprecation-contracts": "^2.5|^3",

                "symfony/polyfill-ctype": "^1.8",

                "symfony/polyfill-mbstring": "^1.3",

                "symfony/polyfill-php80": "^1.22"

                "symfony/polyfill-php81": "^1.29"

            },

            "require-dev": {

                "psr/container": "^1.0|^2.0",
@@ -4328,7 +4328,7 @@ 
            ],

            "support": {

                "issues": "https://github.com/twigphp/Twig/issues",

                "source": "https://github.com/twigphp/Twig/tree/v3.10.3"

                "source": "https://github.com/twigphp/Twig/tree/v3.14.0"

            },

            "funding": [

                {
@@ -4340,7 +4340,7 @@ 
                    "type": "tidelift"

                }

            ],

            "time": "2024-05-16T10:04:27+00:00"

            "time": "2024-09-09T17:55:12+00:00"

        }

    ],

    "packages-dev": [

composer/Metapackage/CoreRecommended/composer.json

+1 −1
Original line number Diff line number Diff line
@@ -60,6 +60,6 @@ 
        "symfony/var-dumper": "~v7.1.3",

        "symfony/var-exporter": "~v7.1.2",

        "symfony/yaml": "~v7.1.1",

        "twig/twig": "~v3.10.3"

        "twig/twig": "~v3.14.0"

    }

}

core/.deprecation-ignore.txt

+12 −0
Original line number Diff line number Diff line
@@ -26,3 +26,15 @@ 


# PHPUnit 10.

%The "PHPUnit\\Framework\\TestCase::__construct\(\)" method is considered internal.*You should not extend it from "Drupal\\[^"]+"%



# Twig 3.

%Since twig/twig 3.11: Changing the value of a "filter" node in a NodeVisitor class is not supported anymore.%

%Since twig/twig 3.12: Not passing an instance of "TwigFunction" when creating a "attach_library" function of type "Twig\\Node\\Expression\\FunctionExpression" is deprecated.%

%Since twig/twig 3.12: Not passing an instance of "TwigFunction" when creating a "add_component_context" function of type "Twig\\Node\\Expression\\FunctionExpression" is deprecated.%

%Since twig/twig 3.12: Not passing an instance of "TwigFunction" when creating a "render_var" function of type "Twig\\Node\\Expression\\FunctionExpression" is deprecated.%

%Since twig/twig 3.12: Not passing an instance of "TwigFunction" when creating a "validate_component_props" function of type "Twig\\Node\\Expression\\FunctionExpression" is deprecated.%

%Since twig/twig 3.12: Getting node "filter" on a "Twig\\Node\\Expression\\FilterExpression" class is deprecated.%

%Since twig/twig 3.12: Getting node "filter" on a "Twig\\Node\\Expression\\Filter\\DefaultFilter" class is deprecated.%

%Since twig/twig 3.12: Getting node "filter" on a "Twig\\Node\\Expression\\Filter\\RawFilter" class is deprecated.%

%Since twig/twig 3.12: The "tag" constructor argument of the "Drupal\\Core\\Template\\TwigNodeTrans" class is deprecated and ignored%

%Since twig/twig 3.12: Twig Filter "spaceless" is deprecated%

core/composer.json

+1 −1
Original line number Diff line number Diff line
@@ -34,7 +34,7 @@ 
        "symfony/process": "^7.1",

        "symfony/polyfill-iconv": "^1.26",

        "symfony/yaml": "^7.1",

        "twig/twig": "^3.9.3",

        "twig/twig": "^3.14.0",

        "doctrine/annotations": "^2.0",

        "doctrine/lexer": "^2.0",

        "guzzlehttp/guzzle": "^7.5",

core/modules/system/tests/src/Kernel/Theme/TwigIncludeTest.php

+1 −1
Original line number Diff line number Diff line
@@ -47,7 +47,7 @@ public function testTemplateInclusion(): void { 
    $element = [];

    $element['test'] = [

      '#type' => 'inline_template',

      '#template' => "{% include '@__main__\/core/tests/fixtures/files/sql-2.sql' %}",

      '#template' => "{% include '@__main__/core/tests/fixtures/files/sql-2.sql' %}",

    ];

    try {

      $renderer->renderRoot($element);