You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
security #558 Fix sandbox filter/tag/function allow-list bypass when sandbox state changes between renders (fabpot)
This PR was merged into the twig-3.x branch.
Discussion
----------
Fix sandbox filter/tag/function allow-list bypass when sandbox state changes between renders
Fixes#555
Commits
-------
23eb6eb Fix sandbox filter/tag/function allow-list bypass when sandbox state changes between renders
Copy file name to clipboardExpand all lines: CHANGELOG
+1Lines changed: 1 addition & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -2,6 +2,7 @@
2
2
3
3
* Add a strict mode to `Twig\Sandbox\SecurityPolicy` to opt-in to the 4.0 behavior for the `extends`/`use` tags and the `parent`/`block`/`attribute` functions, which are otherwise still implicitly allowed in a sandbox
4
4
* Deprecate the fact that the `parent`, `block`, and `attribute` functions are always allowed in a sandboxed template
5
+
* Fix sandbox filter/tag/function allow-list bypass when the sandbox state changed between renders of a cached `Template` instance
5
6
* Fix PHP 8.1+ implicit float-to-int deprecation triggered by sandboxed `ArrayAccess` attribute access with a float key
6
7
* Restrict allowed classes in `Twig\Profiler\Profile::unserialize()` to prevent arbitrary class instantiation
thrownewRuntimeError(\sprintf('Macro "%s" is not defined in template "%s".', substr($name, \strlen('macro_')), $this->getTemplateName()), $line, $source);
524
538
}
525
539
540
+
/**
541
+
* Runs the sandbox security check against the current sandbox state.
542
+
*
543
+
* @internal
544
+
*/
545
+
publicfunctionensureSecurityChecked(): void
546
+
{
547
+
}
548
+
526
549
/**
527
550
* Auto-generated method to display the template with the given context.
0 commit comments