Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Twig 2.7.0 breaks TokenParserInterface() #3983

Closed
janhenckens opened this Issue Mar 12, 2019 · 11 comments

Comments

Projects
None yet
10 participants
@janhenckens
Copy link

janhenckens commented Mar 12, 2019

Description

The latest version of Twig (2.7.0) deprecated the Twig_TokenParser that Craft uses in CacheTokenParser, which is causing the site & CP to crash with this error:

Declaration of craft\web\twig\tokenparsers\CacheTokenParser::parse(Twig_Token $token) must be compatible with Twig\TokenParser\TokenParserInterface::parse(Twig\Token $token)

Steps to reproduce

  1. Install twig/twig 2.7.0
  2. Navigate to the CP

Additional info

  • Craft version: 3.1.17.1
  • PHP version: 7.2.10
  • Database driver & version: 5.7
@okolvik-avento

This comment has been minimized.

Copy link

okolvik-avento commented Mar 12, 2019

Declaration of craft\web\twig\tokenparsers\CacheTokenParser::parse(Twig_Token $token) must be compatible with Twig\TokenParser\TokenParserInterface::parse(Twig\Token $token)
Is the error here.

@aelvan

This comment has been minimized.

Copy link

aelvan commented Mar 12, 2019

Can confirm that Twig 2.7 that dropped today kills Craft. A temporary workaround is adding a requirement for 2.6.2 to your projects composer.json and running composer update again.

"twig/twig": "2.6.2"
@janhenckens

This comment has been minimized.

Copy link
Author

janhenckens commented Mar 12, 2019

See this issue on the twigphp/twig repo as well twigphp/Twig#2886

@eheiser

This comment has been minimized.

Copy link

eheiser commented Mar 12, 2019

Can confirm this also happens on new Craft installs. Ran into this just now when doing a composer install on a local machine.

@boboldehampsink

This comment has been minimized.

Copy link
Contributor

boboldehampsink commented Mar 12, 2019

We need 2.7.0 as 2.6.2 is not secure anymore! See https://symfony.com/blog/twig-sandbox-information-disclosure

@iparr

This comment has been minimized.

Copy link

iparr commented Mar 12, 2019

I've tried to force 2.6.2 but…

Problem 1
    - twig/twig v2.6.2 conflicts with roave/security-advisories[dev-master].
    - roave/security-advisories dev-master conflicts with twig/twig[v2.6.2].
    - twig/twig v2.6.2 conflicts with roave/security-advisories[dev-master].
    - Installation request for twig/twig 2.6.2 -> satisfiable by twig/twig[v2.6.2].
    - Installation request for roave/security-advisories dev-master -> satisfiable by roave/security-advisories[dev-master].

Any suggestions? This has not been a happy update!

@khalwat

This comment has been minimized.

Copy link
Contributor

khalwat commented Mar 12, 2019

Craft version 3.1.17.2 released -> https://github.com/craftcms/cms/blob/develop/CHANGELOG-v3.md#31172---2019-03-12

  • Craft now requires Twig ~2.6.2
@boboldehampsink

This comment has been minimized.

Copy link
Contributor

boboldehampsink commented Mar 12, 2019

That is not a fix! Every sane person that uses a security vulnerability checker in CI will still fail on this as 2.6.2 has a vulnerability. cc @iparr

See https://symfony.com/blog/twig-sandbox-information-disclosure

@angrybrad

This comment has been minimized.

Copy link
Member

angrybrad commented Mar 12, 2019

@boboldehampsink 3.1.17.2 and 3.0.40.1 are just stop-gaps so people's sites will stop breaking. Working on updating our custom Twig stuff for the breaking changes and will cut more releases with Twig 2.7 "real soon now". Going to go ahead and close this in the meantime.

@angrybrad angrybrad closed this Mar 12, 2019

@domstubbs

This comment has been minimized.

Copy link

domstubbs commented Mar 12, 2019

FWIW I’ve just tried the just-released Twig 2.7.1 with Craft 3.1.17.1 and I only had to change one line in Environment.php (\Twig_Source to \Twig\Source) to get Craft working again. It looks as though the larger number of breaking changes in the initial release were unintentional.

@brandonkelly

This comment has been minimized.

Copy link
Member

brandonkelly commented Mar 13, 2019

Twig ^2.7.2 is in place for the next release (2b06c7d).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.