Headline
CVE-2022-23614: Disallow non closures in `sort` filter when the sanbox mode is enabled · twigphp/Twig@2eb3308
Twig is an open source template language for PHP. When in a sandbox mode, the arrow
parameter of the sort
filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the sort
filter as is the case for some other filters. Users are advised to upgrade.
Expand Up @@ -237,7 +237,7 @@ public function getFilters() // array helpers new TwigFilter('join’, ‘twig_join_filter’), new TwigFilter('split’, 'twig_split_filter’, [‘needs_environment’ => true]), new TwigFilter('sort’, ‘twig_sort_filter’), new TwigFilter('sort’, 'twig_sort_filter’, [‘needs_environment’ => true]), new TwigFilter('merge’, ‘twig_array_merge’), new TwigFilter('batch’, ‘twig_array_batch’), new TwigFilter('column’, ‘twig_array_column’), Expand Down Expand Up @@ -926,7 +926,7 @@ function twig_reverse_filter(Environment $env, $item, $preserveKeys = false) * * @return array */ function twig_sort_filter($array, $arrow = null) function twig_sort_filter(Environment $env, $array, $arrow = null) { if ($array instanceof \Traversable) { $array = iterator_to_array($array); Expand All @@ -935,6 +935,8 @@ function twig_sort_filter($array, $arrow = null) }
if (null !== $arrow) { twig_check_arrow_in_sandbox($env, $arrow, 'sort’, ‘filter’);
uasort($array, $arrow); } else { asort($array); Expand Down Expand Up @@ -1606,9 +1608,7 @@ function twig_array_filter(Environment $env, $array, $arrow) throw new RuntimeError(sprintf('The “filter” filter expects an array or "Traversable", got "%s".’, \is_object($array) ? \get_class($array) : \gettype($array))); }
if (!$arrow instanceof Closure && $env->hasExtension(‘\Twig\Extension\SandboxExtension’) && $env->getExtension(‘\Twig\Extension\SandboxExtension’)->isSandboxed()) { throw new RuntimeError(‘The callable passed to “filter” filter must be a Closure in sandbox mode.’); } twig_check_arrow_in_sandbox($env, $arrow, 'filter’, ‘filter’);
if (\is_array($array)) { return array_filter($array, $arrow, \ARRAY_FILTER_USE_BOTH); Expand All @@ -1620,9 +1620,7 @@ function twig_array_filter(Environment $env, $array, $arrow)
function twig_array_map(Environment $env, $array, $arrow) { if (!$arrow instanceof Closure && $env->hasExtension(‘\Twig\Extension\SandboxExtension’) && $env->getExtension(‘\Twig\Extension\SandboxExtension’)->isSandboxed()) { throw new RuntimeError(‘The callable passed to the “map” filter must be a Closure in sandbox mode.’); } twig_check_arrow_in_sandbox($env, $arrow, 'map’, ‘filter’);
$r = []; foreach ($array as $k => $v) { Expand All @@ -1634,9 +1632,7 @@ function twig_array_map(Environment $env, $array, $arrow)
function twig_array_reduce(Environment $env, $array, $arrow, $initial = null) { if (!$arrow instanceof Closure && $env->hasExtension(‘\Twig\Extension\SandboxExtension’) && $env->getExtension(‘\Twig\Extension\SandboxExtension’)->isSandboxed()) { throw new RuntimeError(‘The callable passed to the “reduce” filter must be a Closure in sandbox mode.’); } twig_check_arrow_in_sandbox($env, $arrow, 'reduce’, ‘filter’);
if (!\is_array($array)) { if (!$array instanceof \Traversable) { Expand All @@ -1648,4 +1644,11 @@ function twig_array_reduce(Environment $env, $array, $arrow, $initial = null)
return array_reduce($array, $arrow, $initial); }
function twig_check_arrow_in_sandbox(Environment $env, $arrow, $thing, $type) { if (!$arrow instanceof Closure && $env->hasExtension(‘\Twig\Extension\SandboxExtension’) && $env->getExtension(‘\Twig\Extension\SandboxExtension’)->isSandboxed()) { throw new RuntimeError(sprintf('The callable passed to the “%s” %s must be a Closure in sandbox mode.’, $thing, $type)); } } }
Related news
Ubuntu Security Notice 5947-1 - Fabien Potencier discovered that Twig was not properly enforcing sandbox policies when dealing with objects automatically cast to strings by PHP. An attacker could possibly use this issue to expose sensitive information. This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04 ESM. Marlon Starkloff discovered that Twig was not properly enforcing closure constraints in some of its array filtering functions. An attacker could possibly use this issue to execute arbitrary code. This issue was only fixed in Ubuntu 20.04 ESM.