Problem/Motivation

A security release for Twig was release on 2015/08/12. I believe this is an issue b/c we allow Twig tokens to be used in user input in places (eg, Views).

Proposed resolution

Update Twig.

Remaining tasks

Do it.

User interface changes

?

API changes

?

Data model changes

None.

CommentFileSizeAuthor
#4 update_to_twig_1_20-2550299-4.patch190.02 KBneclimdul
#2 2550299-01.patch181.06 KBmpdonadio
#2 2550299-composer.json-only.patch458 bytesmpdonadio

Comments

mpdonadio created an issue. See original summary.

mpdonadio’s picture

mpdonadio
he/him
Primary language English
Location Philadelphia/PA/USA (UTC-5)
commented
Status: Active » Needs review
StatusFileSize
new 2550299-composer.json-only.patch458 bytes
new 2550299-01.patch181.06 KB

Think I did this right. Just updated the composer.json, attached that for review, then did a `composer update twig/twig` and did the diff.

Status: Needs review » Needs work

The last submitted patch, 2: 2550299-01.patch, failed testing.

neclimdul’s picture

neclimdul
He/Him
commented
Status: Needs work » Needs review
StatusFileSize
new update_to_twig_1_20-2550299-4.patch190.02 KB

I think you missed the new file. Same composer change, same command, just stagged all the changes before making the diff.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Status: Needs review » Reviewed & tested by the community

Pretty straight forward bump

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented
Status: Reviewed & tested by the community » Fixed

Normally I'd hold something like this for a couple of days and ask for manual testing, but we have to do this either way due to the security nature of things, so might as well see what fallout happens sooner than later.

Committed and pushed to 8.0.x. Thanks!

  • webchick committed 8043f5c on 8.0.x 
    Issue #2550299 by mpdonadio, neclimdul: Update to Twig 1.20
dawehner’s picture

dawehner
Primary language German
commented

Variadic functions .... seriously.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.