When in a sandbox mode, the arrow
parameter of the sort
filter must be a closure to avoid attackers being able to run arbitrary PHP functions.
We now disallow calling non Closure in the sort
filter like we already did for some other filters.
We would like to thank Marlon Starkloff for reporting the issue and Fabien Potencier for fixing the issue.
github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2022-23614.yaml
github.com/twigphp/Twig
github.com/twigphp/Twig/commit/22b9dc3c03ee66d7e21d9ed2ca76052b134cb9e9
github.com/twigphp/Twig/commit/2eb33080558611201b55079d07ac88f207b466d5
github.com/twigphp/Twig/security/advisories/GHSA-5mv2-rx3q-4w2v
lists.fedoraproject.org/archives/list/[email protected]/message/I2PVV5DUTRUECTIHMTWRI5Z7DVNYQ2YO
lists.fedoraproject.org/archives/list/[email protected]/message/OTN4273U4RHVIXED64T7DSMJ3VYTPRE7
lists.fedoraproject.org/archives/list/[email protected]/message/PECHIY2XLWUH2WLCNPDGNFMPHPRPCEDZ
lists.fedoraproject.org/archives/list/[email protected]/message/SIGZCFSYLPP7UVJ4E4NLHSOQSKYNXSAD
nvd.nist.gov/vuln/detail/CVE-2022-23614
symfony.com/blog/twig-security-release-disallow-non-closures-in-the-sort-filter
www.debian.org/security/2022/dsa-5107