Contrib.social

Add secure debug output to twig trans extension

Open on Drupal.org โ†’
Created on 26 June 2015, almost 10 years ago
Updated 18 May 2025, 14 days ago

Problem/Motivation

#2489024: Arbitrary code execution via 'trans' extension for dynamic twig templates (when debug output is on) โ†’ removed twig debug output from trans due to arbitrary PHP execution in the debug output. We should find a secure way to add this back.

Proposed resolution

Figure it out in a secure way. Add tests for security.

Remaining tasks

Discuss. Add tests.

User interface changes

None.

API changes

None.

Data model changes

None.

๐Ÿ“Œ Task
Status

Postponed: needs info

Version

11.0 ๐Ÿ”ฅ

Component

theme system

Created by

๐Ÿ‡ญ๐Ÿ‡บHungary Gรกbor Hojtsy Hungary

Live updates comments and jobs are added and updated live.
  • D8MI

    (Drupal 8 Multilingual Initiative) is the tag used by the multilingual initiative to mark core issues (and some contributed module issues). For versions other than Drupal 8, use the i18n (Internationalization) tag on issues which involve or affect multilingual / multinational support. That is preferred over Translation.

  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

  • stale-issue-cleanup

    To track issues in the developing policy for closing stale issues, [Policy, no patch] closing older issues

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 14 days ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States smustgrave

    Thank you for creating this issue to improve Drupal.

    We are working to decide if this task is still relevant to a currently supported version of Drupal. There hasn't been any discussion here for over 8 years which suggests that this has either been implemented or is no longer relevant. Your thoughts on this will allow a decision to be made.

    Since we need more information to move forward with this issue, the status is now Postponed (maintainer needs more info). If we don't receive additional information to help with the issue, it may be closed after three months.

    Thanks!

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024