Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[3.x][4.x]: Using insecure twig/twig versions #12022

Closed
sfsmfc opened this issue Sep 28, 2022 · 3 comments
Closed

[3.x][4.x]: Using insecure twig/twig versions #12022

sfsmfc opened this issue Sep 28, 2022 · 3 comments
Labels
bug craft4

Comments

@sfsmfc
Copy link

sfsmfc commented Sep 28, 2022

What happened?

Description

Update dependency for twig/twig in composer.json.

According to https://symfony.com/blog/twig-security-release-possibility-to-load-a-template-outside-a-configured-directory-when-using-the-filesystem-loader, the 2.24.x and 3.3.x version from twig/twig are insecure. We have to raise the dependancy for twig/twig in 3.7.x to "~2.15.0" and in 4.x to "~3.4.0" to solve this issue.

Steps to reproduce

Make composer update.

Craft CMS version

3.7.x & 4.x

PHP version

No response

Operating system and version

No response

Database type and version

No response

Image driver and version

No response

Installed plugins and versions

No response
@LarsDol
Copy link

LarsDol commented Sep 29, 2022

Same issue here! Our security checks go 🚨; preventing succesful (secure) deployments.

@angrybrad
Copy link
Member

Craft doesn't use Twig's native filesystem loader, so we're not affected by this.

Security scanners won't be aware of this, however.

For Craft 3, if you composer update, it'll bring in the latest Twig release, which should satisfy the scanners.

For Craft 4, we'll bump the Twig version to ~3.4.0 for the next release, which will also satisfy them.

brandonkelly added a commit that referenced this issue Oct 3, 2022
@brandonkelly
3.7.55.3 - Twig 2.15
82a4a48 
Resolves #12022
Resolves #12033
Resolves #12038
@brandonkelly
Copy link
Member

Just released Craft 3.7.55.2 and 4.2.5.2 with fixes for this.

Craft 3.7.55.2 now requires Twig ~2.15.3 (previously it was ~2.14.3 which wouldn’t have allowed updating to 2.15.x).

Craft 4.2.5.2 now requires Twig ~3.4.3 (previously ~3.3.0).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug craft4
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@brandonkelly @angrybrad @LarsDol @sfsmfc