August 12, 2015 Fabien Potencier

I've just released Twig 1.20.0 which contains a security vulnerability fix for Twig's Sandbox mode.

Description

Your application is affected if you allow end users to submit Twig templates, even if you protected this template with Twig's sandbox mode.

End users can craft valid Twig code that allows them to execute arbitrary code (RCEs) via the _self variable, which is always available, even in sandboxed templates.

Affected Versions

All versions of Twig are affected.

How to Patch

If you cannot upgrade, you can apply the patches provided in the dedicated pull request.

Credits

I want to thank James Kettle who was the first to report a RCE security issue, Alain Tiemblo, Christophe Coevoet, and Fabien Potencier for finding more possible and dangerous RCEs.

Thank you Christophe Coevoet, Tugdual Saunier, and Fabien Potencier for providing the fixes for the various attack vectors.

Check your Project

As a quick remember, you can check your projects using Composer for vulnerability issues with the SensioLabs Security Checker.