Security Release: Twig 1.20.0
August 12, 2015 • Published by Fabien Potencier
I've just released Twig 1.20.0 which contains a security vulnerability fix for Twig's Sandbox mode.
Description
Your application is affected if you allow end users to submit Twig templates, even if you protected this template with Twig's sandbox mode.
End users can craft valid Twig code that allows them to execute arbitrary code (RCEs) via the _self
variable, which is always available, even in sandboxed templates.
Affected Versions
All versions of Twig are affected.
How to Patch
If you cannot upgrade, you can apply the patches provided in the dedicated pull request.
Credits
I want to thank James Kettle who was the first to report a RCE security issue, Alain Tiemblo, Christophe Coevoet, and Fabien Potencier for finding more possible and dangerous RCEs.
Thank you Christophe Coevoet, Tugdual Saunier, and Fabien Potencier for providing the fixes for the various attack vectors.
Check your Project
As a quick remember, you can check your projects using Composer for vulnerability issues with the SensioLabs Security Checker.
Help the Symfony project!
As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.
Comments are closed.
To ensure that comments stay relevant, they are closed for old posts.