Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Twig has a security issue in sandbox #14189

Closed
mikkeschiren opened this issue Mar 12, 2019 · 4 comments · Fixed by #14260
Closed

Twig has a security issue in sandbox #14189

mikkeschiren opened this issue Mar 12, 2019 · 4 comments · Fixed by #14260
Labels
not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.

Comments

@mikkeschiren
Copy link
Contributor

Created #14188

This is about:
https://symfony.com/blog/twig-sandbox-information-disclosure

@Findus23
Copy link
Member

I'm pretty sure Matomo doesn't use the twig sandbox feature, so this shouldn't matter.

Nevertheless, updating Twig shouldn't hurt.

@fdellwing
Copy link
Contributor

Just did a code search, did not find anything related to twig using sandbox.

@mikkeschiren
Copy link
Contributor Author

Matomo core does not, but a plugin can. So an update would not hurt.

@Findus23
Copy link
Member

That would be highly unlikely as not the sandbox feature but just disallowing __toString() is broken, but as said before I'm all for updating twig (as there were also a few bugfix releases in between)

@mattab mattab added the not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. label Jun 29, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants