php · twig/twigCritical
Twig Sandbox Bypass via SourcePolicyInterface for sort/filter/map/reduce
Twig's sandbox restriction for callback-accepting filters (sort, filter, map, reduce) is not always applied when using a SourcePolicyInterface.
What changed
Twig's sandbox restriction for callback-accepting filters (sort, filter, map, reduce) is not always applied when using a SourcePolicyInterface. The runtime check for non-Closure callbacks does not use the current template Source, potentially allowing arbitrary PHP callables in sandboxed templates.
Who it affects
Users of Twig who enable sandbox via a SourcePolicyInterface (not globally) and use sort, filter, map, or reduce filters with non-Closure callbacks.
What to do today
Update Twig to the patched version that makes callback sandbox checks source-aware.
The trail
Collected→
Audited→
Written→
Published