The flexible, fast, and secure
template language for PHP

We have recently ordered a professional security audit on Twig. SektionEins did the following comments on our code:

“We audited the Twig source code and consider the code quality very good. (…) Aside from that we could only find minor problems with the source code that are not directly security problems in Twig but might result in security problems depending on how Twig is used by other projects.”

Here is the list of problems:

• Twig_Compiler::string($value) line 133: NUL bytes should be slashed. The reason for this is that NUL bytes in .php files will confuse the zend_engine and result in zend_multibyte mode suddenly parsing the file as multibyte (utf-16, utf-32). This might be useable to inject PHP code into one of the cache files with a malicious template.

• Twig_Loader_Filesystem::findTemplate($name) line 104-132: It should be checked that NUL bytes are not in the template name. The reason is that code using Twig might feed (partial) user input into the template name. NUL bytes could be used to truncate any extension in order to read arbitrary files.

These problems have been fixed here.