Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Twig 2.7.0 breaks TokenParserInterface() #3983

Closed
janhenckens opened this issue Mar 12, 2019 · 11 comments
Closed

Twig 2.7.0 breaks TokenParserInterface() #3983

janhenckens opened this issue Mar 12, 2019 · 11 comments

Comments

@janhenckens
Copy link
Contributor

janhenckens commented Mar 12, 2019
edited

Description

The latest version of Twig (2.7.0) deprecated the Twig_TokenParser that Craft uses in CacheTokenParser, which is causing the site & CP to crash with this error:

Declaration of craft\web\twig\tokenparsers\CacheTokenParser::parse(Twig_Token $token) must be compatible with Twig\TokenParser\TokenParserInterface::parse(Twig\Token $token)

Steps to reproduce

  1. Install twig/twig 2.7.0
  2. Navigate to the CP

Additional info

  • Craft version: 3.1.17.1
  • PHP version: 7.2.10
  • Database driver & version: 5.7
@okolvik-avento
Copy link
Contributor

Declaration of craft\web\twig\tokenparsers\CacheTokenParser::parse(Twig_Token $token) must be compatible with Twig\TokenParser\TokenParserInterface::parse(Twig\Token $token)
Is the error here.

@aelvan
Copy link

aelvan commented Mar 12, 2019

Can confirm that Twig 2.7 that dropped today kills Craft. A temporary workaround is adding a requirement for 2.6.2 to your projects composer.json and running composer update again.

"twig/twig": "2.6.2"

@rtgoodwin rtgoodwin mentioned this issue Mar 12, 2019
Closed
@janhenckens
Copy link
Contributor Author

See this issue on the twigphp/twig repo as well twigphp/Twig#2886

@eheiser
Copy link

eheiser commented Mar 12, 2019

Can confirm this also happens on new Craft installs. Ran into this just now when doing a composer install on a local machine.

@boboldehampsink
Copy link
Contributor

We need 2.7.0 as 2.6.2 is not secure anymore! See https://symfony.com/blog/twig-sandbox-information-disclosure

@iparr
Copy link

iparr commented Mar 12, 2019

I've tried to force 2.6.2 but…

Problem 1
    - twig/twig v2.6.2 conflicts with roave/security-advisories[dev-master].
    - roave/security-advisories dev-master conflicts with twig/twig[v2.6.2].
    - twig/twig v2.6.2 conflicts with roave/security-advisories[dev-master].
    - Installation request for twig/twig 2.6.2 -> satisfiable by twig/twig[v2.6.2].
    - Installation request for roave/security-advisories dev-master -> satisfiable by roave/security-advisories[dev-master].

Any suggestions? This has not been a happy update!

@khalwat
Copy link
Contributor

khalwat commented Mar 12, 2019

Craft version 3.1.17.2 released -> https://github.com/craftcms/cms/blob/develop/CHANGELOG-v3.md#31172---2019-03-12

  • Craft now requires Twig ~2.6.2

@boboldehampsink
Copy link
Contributor

boboldehampsink commented Mar 12, 2019
edited

That is not a fix! Every sane person that uses a security vulnerability checker in CI will still fail on this as 2.6.2 has a vulnerability. cc @iparr

See https://symfony.com/blog/twig-sandbox-information-disclosure

@angrybrad
Copy link
Member

@boboldehampsink 3.1.17.2 and 3.0.40.1 are just stop-gaps so people's sites will stop breaking. Working on updating our custom Twig stuff for the breaking changes and will cut more releases with Twig 2.7 "real soon now". Going to go ahead and close this in the meantime.

@domstubbs
Copy link

domstubbs commented Mar 12, 2019
edited

FWIW I’ve just tried the just-released Twig 2.7.1 with Craft 3.1.17.1 and I only had to change one line in Environment.php (\Twig_Source to \Twig\Source) to get Craft working again. It looks as though the larger number of breaking changes in the initial release were unintentional.

@andris-sevcenko andris-sevcenko mentioned this issue Mar 13, 2019
Closed
@brandonkelly
Copy link
Member

Twig ^2.7.2 is in place for the next release (2b06c7d).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@brandonkelly @angrybrad @eheiser @boboldehampsink @iparr @domstubbs @janhenckens @aelvan @khalwat @okolvik-avento