Merge branch '4.17' of https://github.com/craftcms/cms into 5.9

brandonkelly · brandonkelly · commit 354ef3ba2930 · 2026-01-02T15:03:14.000-08:00
# Conflicts:
#	CHANGELOG-WIP.md
#	src/web/View.php
#	src/web/twig/Extension.php
diff --git a/CHANGELOG-WIP.md b/CHANGELOG-WIP.md
@@ -42,6 +42,7 @@
 - `entrify` commands now automatically assign newly-created channel/structure sections to “Categories” or “Tags” pages. ([#17779](https://github.com/craftcms/cms/pull/17779))
 - The `clear-cache` command now accepts a space-delimited list of cache IDs that should be cleared.
 - Compiled templates are now deleted by the `up` command rather than from `migrate` commands.
+- Added the `enableTwigSandbox` config setting. ([#18208](https://github.com/craftcms/cms/pull/18208))
 - Added the `useIdnaNontransitionalToUnicode` config setting. ([#17946](https://github.com/craftcms/cms/pull/17946))
 - The `maxCachedCloudImageSize` config setting is now set to `0` by default. ([#17997](https://github.com/craftcms/cms/pull/17997))
 - System message emails are now rendered using GitHub-flavored Markdown. ([#18058](https://github.com/craftcms/cms/discussions/18058))
diff --git a/src/config/GeneralConfig.php b/src/config/GeneralConfig.php
@@ -1253,6 +1253,24 @@ class GeneralConfig extends BaseConfig
      */
     public bool $enableTemplateCaching = true;
 
+    /**
+     * @var bool Whether all Twig templates should be sandboxed.
+     *
+     * ::: code
+     * ```php Static Config
+     * ->enableTwigSandbox(false)
+     * ```
+     * ```shell Environment Override
+     * CRAFT_ENABLE_TWIG_SANDBOX=false
+     * ```
+     * :::
+     *
+     * @see enableTwigSandbox()
+     * @group Security
+     * @since 4.17.0
+     */
+    public bool $enableTwigSandbox = false;
+
     /**
      * @var string The prefix that should be prepended to HTTP error status codes when determining the path to look for an error’s template.
      *
@@ -4748,6 +4766,25 @@ public function enableTemplateCaching(bool $value = true): self
         return $this;
     }
 
+    /**
+     * Whether all Twig templates should be sandboxed.
+     *
+     * ```php
+     * ->enableTwigSandbox(false)
+     * ```
+     *
+     * @group Security
+     * @param bool $value
+     * @return self
+     * @see $enableTwigSandbox
+     * @since 4.17.0
+     */
+    public function enableTwigSandbox(bool $value = true): self
+    {
+        $this->enableTwigSandbox = $value;
+        return $this;
+    }
+
     /**
      * The prefix that should be prepended to HTTP error status codes when determining the path to look for an error’s template.
      *
diff --git a/src/web/View.php b/src/web/View.php
@@ -26,6 +26,7 @@
 use craft\web\twig\FeExtension;
 use craft\web\twig\GlobalsExtension;
 use craft\web\twig\SafeHtml;
+use craft\web\twig\SecurityPolicy;
 use craft\web\twig\SinglePreloaderExtension;
 use craft\web\twig\TemplateLoader;
 use Illuminate\Support\Collection;
@@ -36,6 +37,7 @@
 use Twig\Error\SyntaxError as TwigSyntaxError;
 use Twig\Extension\CoreExtension;
 use Twig\Extension\ExtensionInterface;
+use Twig\Extension\SandboxExtension;
 use Twig\Extension\StringLoaderExtension;
 use Twig\Runtime\EscaperRuntime;
 use Twig\Template as TwigTemplate;
@@ -426,6 +428,9 @@ public function createTwig(): Environment
         /** @phpstan-ignore argument.type */
         $twig->getRuntime(EscaperRuntime::class)->addSafeClass($safeClass, ['html']);
 
+        // Even an empty security policy will prevent non-closures from being allowed as arrow functions
+        $twig->addExtension(new SandboxExtension(new SecurityPolicy(), Craft::$app->getConfig()->getGeneral()->enableTwigSandbox));
+
         $twig->addExtension(new StringLoaderExtension());
         $twig->addExtension(new Extension($this, $twig));
 
diff --git a/src/web/twig/Extension.php b/src/web/twig/Extension.php
@@ -101,7 +101,7 @@ class Extension extends AbstractExtension implements GlobalsInterface
      */
     public static function arraySome(TwigEnvironment $env, $array, $arrow)
     {
-        self::checkArrowFunction($arrow, 'has some', 'operator');
+        CoreExtension::checkArrow($env, $arrow, 'has some', 'operator');
         return CoreExtension::arraySome($env, $array, $arrow);
     }
 
@@ -110,38 +110,10 @@ public static function arraySome(TwigEnvironment $env, $array, $arrow)
      */
     public static function arrayEvery(TwigEnvironment $env, $array, $arrow)
     {
-        self::checkArrowFunction($arrow, 'has every', 'operator');
+        CoreExtension::checkArrow($env, $arrow, 'has every', 'operator');
         return CoreExtension::arrayEvery($env, $array, $arrow);
     }
 
-    /**
-     * Called by:
-     * - has every (operator)
-     * - has some (operator)
-     * - |filter
-     * - |find
-     * - |map
-     * - |reduce
-     * - |sort
-     */
-    private static function checkArrowFunction(mixed $arrow, string $thing, string $type): void
-    {
-        if (
-            is_string($arrow) &&
-            in_array(ltrim(strtolower($arrow), '\\'), [
-                'system',
-                'passthru',
-                'exec',
-                'file_get_contents',
-                'file_put_contents',
-                'popen',
-                'call_user_func',
-            ])
-        ) {
-            throw new RuntimeError(sprintf('The "%s" %s does not support passing "%s".', $thing, $type, $arrow));
-        }
-    }
-
     /**
      * @var View|null
      */
@@ -257,7 +229,7 @@ public function getFilters(): array
             new TwigFilter('filterByValue', [ArrayHelper::class, 'where'], ['deprecation_info' => new DeprecatedCallableInfo('craftcms/cms', '3.5.0', 'where')]),
             new TwigFilter('firstWhere', [ArrayHelper::class, 'firstWhere']),
             new TwigFilter('flatten', [Arr::class, 'flatten']),
-            new TwigFilter('group', [$this, 'groupFilter']),
+            new TwigFilter('group', [$this, 'groupFilter'], ['needs_environment' => true]),
             new TwigFilter('hash', [$this, 'hashFilter']),
             new TwigFilter('httpdate', [$this, 'httpdateFilter'], ['needs_environment' => true]),
             new TwigFilter('id', [Html::class, 'id']),
@@ -537,7 +509,7 @@ public function snakeFilter(mixed $string): string
      */
     public function sortFilter(TwigEnvironment $env, iterable $array, string|callable|null $arrow = null): array
     {
-        self::checkArrowFunction($arrow, 'sort', 'filter');
+        CoreExtension::checkArrow($env, $arrow, 'sort', 'filter');
         return CoreExtension::sort($env, $array, $arrow);
     }
 
@@ -554,7 +526,7 @@ public function sortFilter(TwigEnvironment $env, iterable $array, string|callabl
      */
     public function reduceFilter(TwigEnvironment $env, mixed $array, mixed $arrow, mixed $initial = null): mixed
     {
-        self::checkArrowFunction($arrow, 'reduce', 'filter');
+        CoreExtension::checkArrow($env, $arrow, 'reduce', 'filter');
         return CoreExtension::reduce($env, $array, $arrow, $initial);
     }
 
@@ -570,7 +542,7 @@ public function reduceFilter(TwigEnvironment $env, mixed $array, mixed $arrow, m
      */
     public function mapFilter(TwigEnvironment $env, mixed $array, mixed $arrow = null): array
     {
-        self::checkArrowFunction($arrow, 'map', 'filter');
+        CoreExtension::checkArrow($env, $arrow, 'map', 'filter');
         return CoreExtension::map($env, $array, $arrow);
     }
 
@@ -695,7 +667,7 @@ public function timestampFilter(mixed $value, ?string $format = null, bool $with
      */
     public function findFilter(TwigEnvironment $env, $array, $arrow): mixed
     {
-        self::checkArrowFunction($arrow, 'find', 'filter');
+        CoreExtension::checkArrow($env, $arrow, 'find', 'filter');
         return CoreExtension::find($env, $array, $arrow);
     }
 
@@ -1172,7 +1144,7 @@ public function encencFilter(mixed $str): string
      */
     public function filterFilter(TwigEnvironment $env, iterable $arr, ?callable $arrow = null): array
     {
-        self::checkArrowFunction($arrow, 'filter', 'filter');
+        CoreExtension::checkArrow($env, $arrow, 'filter', 'filter');
 
         /** @var array|Traversable $arr */
         if ($arrow === null) {
@@ -1194,14 +1166,15 @@ public function filterFilter(TwigEnvironment $env, iterable $arr, ?callable $arr
     /**
      * Groups an array by the results of an arrow function, or value of a property.
      *
+     * @param TwigEnvironment $env
      * @param iterable $arr
      * @param callable|string $arrow The arrow function or property name that determines the group the item should be grouped in
      * @return array[] The grouped items
      * @throws RuntimeError if $arr is not of type array or Traversable
      */
-    public function groupFilter(iterable $arr, callable|string $arrow): array
+    public function groupFilter(TwigEnvironment $env, iterable $arr, callable|string $arrow): array
     {
-        self::checkArrowFunction($arrow, 'group', 'filter');
+        CoreExtension::checkArrow($env, $arrow, 'group', 'filter');
 
         $groups = [];
 
diff --git a/src/web/twig/SecurityPolicy.php b/src/web/twig/SecurityPolicy.php
@@ -0,0 +1,31 @@
+<?php
+/**
+ * @link https://craftcms.com/
+ * @copyright Copyright (c) Pixel & Tonic, Inc.
+ * @license https://craftcms.github.io/license/
+ */
+
+namespace craft\web\twig;
+
+use Twig\Sandbox\SecurityPolicyInterface;
+
+/**
+ * Security policy
+ *
+ * @author Pixel & Tonic, Inc. <support@pixelandtonic.com>
+ * @since 4.17.0
+ */
+class SecurityPolicy implements SecurityPolicyInterface
+{
+    public function checkSecurity($tags, $filters, $functions): void
+    {
+    }
+
+    public function checkMethodAllowed($obj, $method): void
+    {
+    }
+
+    public function checkPropertyAllowed($obj, $property): void
+    {
+    }
+}
