Fix major security issue with twig, sandbox was incorrectly set and was allowing code injection

2020-04-03 21:01:18 +02:00 · 2020-04-03 21:01:18 +02:00 · 3a27a3ba73
parent 26b0ce47a7
commit 3a27a3ba73
1 changed files with 13 additions and 3 deletions
--- a/controllers/internals/Templating.php
+++ b/controllers/internals/Templating.php
@ -32,9 +32,9 @@ namespace controllers\internals;

            $filters = [
                'abs', 'capitalize', 'country_name', 'currency_name',
-                'currency_symbol', 'date', 'date_modify', 'default',
+                'currency_symbol', 'date', 'date_modify', 'default', 'escape',
                'first', 'format', 'format_currency', 'format_datetime',
-                'format_number', 'join', 'keys', 'language_name',
+                'format_number', 'join', 'json_encode', 'keys', 'language_name',
                'last', 'length', 'locale_name', 'lower', 'number_format',
                'replace', 'reverse', 'round', 'slice',
                'sort', 'spaceless', 'split', 'timezone_name',
@ -68,7 +68,17 @@ namespace controllers\internals;
                    'template' => $template,
                ]);

-                $twig = new \Twig\Environment($loader);
+                $twig = new \Twig\Environment($loader, [
+                    'debug' => false,
+                    'charset' => 'utf-8',
+                    'cache' => false,
+                    'auto_reload' => false,
+                    'strict_variables' => false,
+                    'autoescape' => false,
+                    'optimizations' => -1,
+                ]);
+
+                $twig->addExtension($this->sandbox);
                $result = $twig->render('template', $datas);

                return [