View Issue Details

This bug affects 2 person(s).
 10
IDProjectCategoryView StatusLast Update
19830Bug reportsSurvey takingpublic2024-11-18 09:39
ReporterDenisChenu Assigned Totibor.pacalat  
PrioritynoneSeveritycrash 
Status assignedResolutionreopened 
Product Version6.6.x 
Summary19830: Calling "sSurveyUrl" property on a "Survey" object is not allowed in
Description

Not able to take any survey : Home page show 500: Internal Server Error - Calling "sSurveyUrl" property on a "Survey" object is not allowed in
And manage survey ; 500: Internal Server Error - Calling "isListPublic" property on a "Survey" object is not allowed in

Steps To Reproduce

Steps to reproduce

Update to the last GIT version
Try to do something
Report done with vanilla theme on home page

Expected result

Work

Actual result

Don't work

TagsNo tags attached.
Attached Files
Twig_Sandbox_SecurityNotAllowedPropertyError.html (31,871 bytes)   
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" data-lt-installed="true"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Twig\Sandbox\SecurityNotAllowedPropertyError</title>

<style type="text/css">
/*<![CDATA[*/
html,body,div,span,applet,object,iframe,h1,h2,h3,h4,h5,h6,p,blockquote,pre,a,abbr,acronym,address,big,cite,code,del,dfn,em,font,img,ins,kbd,q,s,samp,small,strike,strong,sub,sup,tt,var,b,u,i,center,dl,dt,dd,ol,ul,li,fieldset,form,label,legend,table,caption,tbody,tfoot,thead,tr,th,td{border:0;outline:0;font-size:100%;vertical-align:baseline;background:transparent;margin:0;padding:0;}
body{line-height:1;}
ol,ul{list-style:none;}
blockquote,q{quotes:none;}
blockquote:before,blockquote:after,q:before,q:after{content:none;}
:focus{outline:0;}
ins{text-decoration:none;}
del{text-decoration:line-through;}
table{border-collapse:collapse;border-spacing:0;}

body {
	font: normal 9pt "Verdana";
	color: #000;
	background: #fff;
}

h1 {
	font: normal 18pt "Verdana";
	color: #f00;
	margin-bottom: .5em;
}

h2 {
	font: normal 14pt "Verdana";
	color: #800000;
	margin-bottom: .5em;
}

h3 {
	font: bold 11pt "Verdana";
}

pre {
	font: normal 11pt Menlo, Consolas, "Lucida Console", Monospace;
}

pre span.error {
	display: block;
	background: #fce3e3;
}

pre span.ln {
	color: #999;
	padding-right: 0.5em;
	border-right: 1px solid #ccc;
}

pre span.error-ln {
	font-weight: bold;
}

.container {
	margin: 1em 4em;
}

.version {
	color: gray;
	font-size: 8pt;
	border-top: 1px solid #aaa;
	padding-top: 1em;
	margin-bottom: 1em;
}

.message {
	color: #000;
	padding: 1em;
	font-size: 11pt;
	background: #f3f3f3;
	-webkit-border-radius: 10px;
	-moz-border-radius: 10px;
	border-radius: 10px;
	margin-bottom: 1em;
	line-height: 160%;
}

.source {
	margin-bottom: 1em;
}

.code pre {
	background-color: #ffe;
	margin: 0.5em 0;
	padding: 0.5em;
	line-height: 125%;
	border: 1px solid #eee;
}

.source .file {
	margin-bottom: 1em;
	font-weight: bold;
}

.traces {
	margin: 2em 0;
}

.trace {
	margin: 0.5em 0;
	padding: 0.5em;
}

.trace.app {
	border: 1px dashed #c00;
}

.trace .number {
	text-align: right;
	width: 2em;
	padding: 0.5em;
}

.trace .content {
	padding: 0.5em;
}

.trace .plus,
.trace .minus {
	display:inline;
	vertical-align:middle;
	text-align:center;
	border:1px solid #000;
	color:#000;
	font-size:10px;
	line-height:10px;
	margin:0;
	padding:0 1px;
	width:10px;
	height:10px;
}

.trace.collapsed .minus,
.trace.expanded .plus,
.trace.collapsed pre {
	display: none;
}

.trace-file {
	cursor: pointer;
	padding: 0.2em;
}

.trace-file:hover {
	background: #f0ffff;
}
/*]]>*/
</style>
</head>

<body>
<div class="container">
	<h1>Twig\Sandbox\SecurityNotAllowedPropertyError</h1>

	<p class="message">
		Calling "sSurveyUrl" property on a "Survey" object is not allowed in 
"__string_template__49d60551aa67aa57298068c9a575fdfd" at line 158.	</p>

	<div class="source">
		<p class="file">/media/shnoulle/data/webdev/master/vendor/twig/twig/src/Sandbox/SecurityPolicy.php(121)</p>
		<div class="code"><pre><span class="ln">109</span>     public function checkPropertyAllowed($obj, $property): void
<span class="ln">110</span>     {
<span class="ln">111</span>         $allowed = false;
<span class="ln">112</span>         foreach ($this-&gt;allowedProperties as $class =&gt; $properties) {
<span class="ln">113</span>             if ($obj instanceof $class &amp;&amp; \in_array($property, \is_array($properties) ? $properties : [$properties])) {
<span class="ln">114</span>                 $allowed = true;
<span class="ln">115</span>                 break;
<span class="ln">116</span>             }
<span class="ln">117</span>         }
<span class="ln">118</span> 
<span class="ln">119</span>         if (!$allowed) {
<span class="ln">120</span>             $class = \get_class($obj);
<span class="error"><span class="ln error-ln">121</span>             throw new SecurityNotAllowedPropertyError(\sprintf('Calling "%s" property on a "%s" object is not allowed.', $property, $class), $class, $property);
</span><span class="ln">122</span>         }
<span class="ln">123</span>     }
<span class="ln">124</span> }
</pre></div>	</div>

	<div class="traces">
		<h2>Stack Trace</h2>
				<table style="width:100%;">
						<tbody><tr class="trace app expanded">
			<td class="number">
				#0			</td>
			<td class="content">
				<div class="trace-file">
											<div class="plus">+</div>
						<div class="minus">–</div>
										&nbsp;/media/shnoulle/data/webdev/master/vendor/twig/twig/src/Extension/SandboxExtension.php(110): <strong>Twig\Sandbox\SecurityPolicy</strong>-&gt;<strong>checkPropertyAllowed</strong>()				</div>

				<div class="code"><pre><span class="ln">105</span> 
<span class="ln">106</span>     public function checkPropertyAllowed($obj, $property, int $lineno = -1, ?Source $source = null): void
<span class="ln">107</span>     {
<span class="ln">108</span>         if ($this-&gt;isSandboxed($source)) {
<span class="ln">109</span>             try {
<span class="error"><span class="ln error-ln">110</span>                 $this-&gt;policy-&gt;checkPropertyAllowed($obj, $property);
</span><span class="ln">111</span>             } catch (SecurityNotAllowedPropertyError $e) {
<span class="ln">112</span>                 $e-&gt;setSourceContext($source);
<span class="ln">113</span>                 $e-&gt;setTemplateLine($lineno);
<span class="ln">114</span> 
<span class="ln">115</span>                 throw $e;
</pre></div>			</td>
		</tr>
						<tr class="trace app expanded">
			<td class="number">
				#1			</td>
			<td class="content">
				<div class="trace-file">
											<div class="plus">+</div>
						<div class="minus">–</div>
										&nbsp;/media/shnoulle/data/webdev/master/vendor/twig/twig/src/Extension/CoreExtension.php(1576): <strong>Twig\Extension\SandboxExtension</strong>-&gt;<strong>checkPropertyAllowed</strong>()				</div>

				<div class="code"><pre><span class="ln">1571</span>         if (/* Template::METHOD_CALL */ 'method' !== $type) {
<span class="ln">1572</span>             $arrayItem = \is_bool($item) || \is_float($item) ? (int) $item : $item;
<span class="ln">1573</span> 
<span class="ln">1574</span>             if ($sandboxed &amp;&amp; $object instanceof \ArrayAccess &amp;&amp; !\in_array(get_class($object), self::ARRAY_LIKE_CLASSES, true)) {
<span class="ln">1575</span>                 try {
<span class="error"><span class="ln error-ln">1576</span>                     $env-&gt;getExtension(SandboxExtension::class)-&gt;checkPropertyAllowed($object, $arrayItem, $lineno, $source);
</span><span class="ln">1577</span>                 } catch (SecurityNotAllowedPropertyError $propertyNotAllowedError) {
<span class="ln">1578</span>                     goto methodCheck;
<span class="ln">1579</span>                 }
<span class="ln">1580</span>             }
<span class="ln">1581</span> 
</pre></div>			</td>
		</tr>
						<tr class="trace app expanded">
			<td class="number">
				#2			</td>
			<td class="content">
				<div class="trace-file">
											<div class="plus">+</div>
						<div class="minus">–</div>
										&nbsp;/media/shnoulle/data/webdev/master/tmp/runtime/twig_cache/aa/aa11a0758884fd6f3c0b22d9314a7caa.php(285): <strong>Twig\Extension\CoreExtension</strong>::<strong>getAttribute</strong>()				</div>

				<div class="code"><pre><span class="ln">280</span>             yield $this-&gt;sandbox-&gt;ensureToStringAllowed(CoreExtension::getAttribute($this-&gt;env, $this-&gt;source, CoreExtension::getAttribute($this-&gt;env, $this-&gt;source, ($context["aSurveyInfo"] ?? null), "attr", [], "any", false, false, true, 156), "surveylistrowdivbdivulli", [], "any", false, false, true, 156), 156, $this-&gt;source);
<span class="ln">281</span>             yield "&gt;
<span class="ln">282</span>                                                     &lt;a
<span class="ln">283</span>                                                         href=\"";
<span class="ln">284</span>             // line 158
<span class="error"><span class="ln error-ln">285</span>             yield $this-&gt;sandbox-&gt;ensureToStringAllowed(CoreExtension::getAttribute($this-&gt;env, $this-&gt;source, $context["oSurvey"], "sSurveyUrl", [], "any", false, false, true, 158), 158, $this-&gt;source);
</span><span class="ln">286</span>             yield "\"
<span class="ln">287</span>                                                         title=\"";
<span class="ln">288</span>             // line 159
<span class="ln">289</span>             yield gT("Start survey");
<span class="ln">290</span>             yield "\"
</pre></div>			</td>
		</tr>
						<tr class="trace app collapsed">
			<td class="number">
				#3			</td>
			<td class="content">
				<div class="trace-file">
											<div class="plus">+</div>
						<div class="minus">–</div>
										&nbsp;/media/shnoulle/data/webdev/master/vendor/twig/twig/src/Template.php(430): <strong>__TwigTemplate_1f46ea44ded24ae89312651216062761</strong>-&gt;<strong>block_content</strong>()				</div>

				<div class="code"><pre><span class="ln">425</span>                 }
<span class="ln">426</span> 
<span class="ln">427</span>                 $level = ob_get_level();
<span class="ln">428</span>                 ob_start();
<span class="ln">429</span> 
<span class="error"><span class="ln error-ln">430</span>                 foreach ($template-&gt;$block($context, $blocks) as $data) {
</span><span class="ln">431</span>                     if (ob_get_length()) {
<span class="ln">432</span>                         $data = ob_get_clean().$data;
<span class="ln">433</span>                         ob_start();
<span class="ln">434</span>                     }
<span class="ln">435</span> 
</pre></div>			</td>
		</tr>
						<tr class="trace app collapsed">
			<td class="number">
				#4			</td>
			<td class="content">
				<div class="trace-file">
											<div class="plus">+</div>
						<div class="minus">–</div>
										&nbsp;/media/shnoulle/data/webdev/master/tmp/runtime/twig_cache/aa/aa11a0758884fd6f3c0b22d9314a7caa.php(144): <strong>Twig\Template</strong>-&gt;<strong>yieldBlock</strong>()				</div>

				<div class="code"><pre><span class="ln">139</span>         yield "
<span class="ln">140</span> 
<span class="ln">141</span>             ";
<span class="ln">142</span>         // line 114
<span class="ln">143</span>         yield "            ";
<span class="error"><span class="ln error-ln">144</span>         yield from $this-&gt;unwrap()-&gt;yieldBlock('content', $context, $blocks);
</span><span class="ln">145</span>         // line 205
<span class="ln">146</span>         yield "
<span class="ln">147</span> 
<span class="ln">148</span>             ";
<span class="ln">149</span>         // line 208
</pre></div>			</td>
		</tr>
						<tr class="trace app collapsed">
			<td class="number">
				#5			</td>
			<td class="content">
				<div class="trace-file">
											<div class="plus">+</div>
						<div class="minus">–</div>
										&nbsp;/media/shnoulle/data/webdev/master/vendor/twig/twig/src/Template.php(430): <strong>__TwigTemplate_1f46ea44ded24ae89312651216062761</strong>-&gt;<strong>block_body</strong>()				</div>

				<div class="code"><pre><span class="ln">425</span>                 }
<span class="ln">426</span> 
<span class="ln">427</span>                 $level = ob_get_level();
<span class="ln">428</span>                 ob_start();
<span class="ln">429</span> 
<span class="error"><span class="ln error-ln">430</span>                 foreach ($template-&gt;$block($context, $blocks) as $data) {
</span><span class="ln">431</span>                     if (ob_get_length()) {
<span class="ln">432</span>                         $data = ob_get_clean().$data;
<span class="ln">433</span>                         ob_start();
<span class="ln">434</span>                     }
<span class="ln">435</span> 
</pre></div>			</td>
		</tr>
						<tr class="trace app collapsed">
			<td class="number">
				#6			</td>
			<td class="content">
				<div class="trace-file">
											<div class="plus">+</div>
						<div class="minus">–</div>
										&nbsp;/media/shnoulle/data/webdev/master/tmp/runtime/twig_cache/aa/aa11a0758884fd6f3c0b22d9314a7caa.php(108): <strong>Twig\Template</strong>-&gt;<strong>yieldBlock</strong>()				</div>

				<div class="code"><pre><span class="ln">103</span>         // line 105
<span class="ln">104</span>         yield $this-&gt;sandbox-&gt;ensureToStringAllowed(CoreExtension::getAttribute($this-&gt;env, $this-&gt;source, CoreExtension::getAttribute($this-&gt;env, $this-&gt;source, ($context["aSurveyInfo"] ?? null), "id", [], "any", false, false, true, 105), "dynamicreload", [], "any", false, false, true, 105), 105, $this-&gt;source);
<span class="ln">105</span>         yield "\"&gt;
<span class="ln">106</span>         ";
<span class="ln">107</span>         // line 106
<span class="error"><span class="ln error-ln">108</span>         yield from $this-&gt;unwrap()-&gt;yieldBlock('body', $context, $blocks);
</span><span class="ln">109</span>         // line 211
<span class="ln">110</span>         yield "    &lt;/div&gt;
<span class="ln">111</span> &lt;/article&gt;
<span class="ln">112</span> ";
<span class="ln">113</span>         // line 213
</pre></div>			</td>
		</tr>
						<tr class="trace app collapsed">
			<td class="number">
				#7			</td>
			<td class="content">
				<div class="trace-file">
											<div class="plus">+</div>
						<div class="minus">–</div>
										&nbsp;/media/shnoulle/data/webdev/master/vendor/twig/twig/src/Template.php(360): <strong>__TwigTemplate_1f46ea44ded24ae89312651216062761</strong>-&gt;<strong>doDisplay</strong>()				</div>

				<div class="code"><pre><span class="ln">355</span>             }
<span class="ln">356</span> 
<span class="ln">357</span>             $level = ob_get_level();
<span class="ln">358</span>             ob_start();
<span class="ln">359</span> 
<span class="error"><span class="ln error-ln">360</span>             foreach ($this-&gt;doDisplay($context, $blocks) as $data) {
</span><span class="ln">361</span>                 if (ob_get_length()) {
<span class="ln">362</span>                     $data = ob_get_clean().$data;
<span class="ln">363</span>                     ob_start();
<span class="ln">364</span>                 }
<span class="ln">365</span> 
</pre></div>			</td>
		</tr>
						<tr class="trace app collapsed">
			<td class="number">
				#8			</td>
			<td class="content">
				<div class="trace-file">
											<div class="plus">+</div>
						<div class="minus">–</div>
										&nbsp;/media/shnoulle/data/webdev/master/vendor/twig/twig/src/Template.php(335): <strong>Twig\Template</strong>-&gt;<strong>yield</strong>()				</div>

				<div class="code"><pre><span class="ln">330</span>     }
<span class="ln">331</span> 
<span class="ln">332</span>     public function render(array $context): string
<span class="ln">333</span>     {
<span class="ln">334</span>         $content = '';
<span class="error"><span class="ln error-ln">335</span>         foreach ($this-&gt;yield($context) as $data) {
</span><span class="ln">336</span>             $content .= $data;
<span class="ln">337</span>         }
<span class="ln">338</span> 
<span class="ln">339</span>         return $content;
<span class="ln">340</span>     }
</pre></div>			</td>
		</tr>
						<tr class="trace app collapsed">
			<td class="number">
				#9			</td>
			<td class="content">
				<div class="trace-file">
											<div class="plus">+</div>
						<div class="minus">–</div>
										&nbsp;/media/shnoulle/data/webdev/master/vendor/twig/twig/src/TemplateWrapper.php(38): <strong>Twig\Template</strong>-&gt;<strong>render</strong>()				</div>

				<div class="code"><pre><span class="ln">33</span>         $this-&gt;template = $template;
<span class="ln">34</span>     }
<span class="ln">35</span> 
<span class="ln">36</span>     public function render(array $context = []): string
<span class="ln">37</span>     {
<span class="error"><span class="ln error-ln">38</span>         return $this-&gt;template-&gt;render($context);
</span><span class="ln">39</span>     }
<span class="ln">40</span> 
<span class="ln">41</span>     public function display(array $context = [])
<span class="ln">42</span>     {
<span class="ln">43</span>         // using func_get_args() allows to not expose the blocks argument
</pre></div>			</td>
		</tr>
						<tr class="trace app collapsed">
			<td class="number">
				#10			</td>
			<td class="content">
				<div class="trace-file">
											<div class="plus">+</div>
						<div class="minus">–</div>
										&nbsp;/media/shnoulle/data/webdev/master/application/core/LSETwigViewRenderer.php(519): <strong>Twig\TemplateWrapper</strong>-&gt;<strong>render</strong>()				</div>

				<div class="code"><pre><span class="ln">514</span>             list($sString, $aData) = $this-&gt;getPluginsData($sString, $aData);
<span class="ln">515</span>         }
<span class="ln">516</span> 
<span class="ln">517</span>         // Twig rendering
<span class="ln">518</span>         $oTwigTemplate = $twig-&gt;createTemplate($sString);
<span class="error"><span class="ln error-ln">519</span>         $sHtml         = $oTwigTemplate-&gt;render($aData, false);
</span><span class="ln">520</span> 
<span class="ln">521</span>         return $sHtml;
<span class="ln">522</span>     }
<span class="ln">523</span> 
<span class="ln">524</span>     /**
</pre></div>			</td>
		</tr>
						<tr class="trace app collapsed">
			<td class="number">
				#11			</td>
			<td class="content">
				<div class="trace-file">
											<div class="plus">+</div>
						<div class="minus">–</div>
										&nbsp;/media/shnoulle/data/webdev/master/application/core/LSETwigViewRenderer.php(72): <strong>LSETwigViewRenderer</strong>-&gt;<strong>convertTwigToHtml</strong>()				</div>

				<div class="code"><pre><span class="ln">67</span>     {
<span class="ln">68</span>         $oTemplate = Template::getLastInstance();
<span class="ln">69</span>         $oLayoutTemplate = $this-&gt;getTemplateForView($sLayout, $oTemplate);
<span class="ln">70</span>         if ($oLayoutTemplate) {
<span class="ln">71</span>             $line       = file_get_contents($oLayoutTemplate-&gt;viewPath . $sLayout);
<span class="error"><span class="ln error-ln">72</span>             $sHtml      = $this-&gt;convertTwigToHtml($line, $aData, $oTemplate);
</span><span class="ln">73</span>             $sEmHiddenInputs = LimeExpressionManager::FinishProcessPublicPage(true);
<span class="ln">74</span>             if ($sEmHiddenInputs) {
<span class="ln">75</span>                 $sHtml = str_replace(
<span class="ln">76</span>                     "&lt;!-- emScriptsAndHiddenInputs --&gt;",
<span class="ln">77</span>                     "&lt;!-- emScriptsAndHiddenInputs updated --&gt;\n" .
</pre></div>			</td>
		</tr>
						<tr class="trace app collapsed">
			<td class="number">
				#12			</td>
			<td class="content">
				<div class="trace-file">
											<div class="plus">+</div>
						<div class="minus">–</div>
										&nbsp;/media/shnoulle/data/webdev/master/application/controllers/SurveysController.php(63): <strong>LSETwigViewRenderer</strong>-&gt;<strong>renderTemplateFromFile</strong>()				</div>

				<div class="code"><pre><span class="ln">58</span>         // maintenance mode
<span class="ln">59</span>         $sMaintenanceMode = getGlobalSetting('maintenancemode');
<span class="ln">60</span>         if ($sMaintenanceMode == 'hard' || $sMaintenanceMode == 'soft') {
<span class="ln">61</span>             Yii::app()-&gt;twigRenderer-&gt;renderTemplateFromFile("layout_maintenance.twig", array('aSurveyInfo' =&gt; $aData), false);
<span class="ln">62</span>         } else {
<span class="error"><span class="ln error-ln">63</span>             Yii::app()-&gt;twigRenderer-&gt;renderTemplateFromFile("layout_survey_list.twig", array('aSurveyInfo' =&gt; $aData), false);
</span><span class="ln">64</span>         }
<span class="ln">65</span>     }
<span class="ln">66</span> 
<span class="ln">67</span>     /**
<span class="ln">68</span>      * System error : only 404 error are managed here (2016-11-29)
</pre></div>			</td>
		</tr>
						<tr class="trace core collapsed">
			<td class="number">
				#13			</td>
			<td class="content">
				<div class="trace-file">
										&nbsp;unknown(0): <strong>SurveysController</strong>-&gt;<strong>actionPublicList</strong>()				</div>

							</td>
		</tr>
						<tr class="trace core collapsed">
			<td class="number">
				#14			</td>
			<td class="content">
				<div class="trace-file">
											<div class="plus">+</div>
						<div class="minus">–</div>
										&nbsp;/media/shnoulle/data/webdev/master/vendor/yiisoft/yii/framework/web/actions/CAction.php(114): <strong>ReflectionMethod</strong>-&gt;<strong>invokeArgs</strong>()				</div>

				<div class="code"><pre><span class="ln">109</span>             elseif($param-&gt;isDefaultValueAvailable())
<span class="ln">110</span>                 $ps[]=$param-&gt;getDefaultValue();
<span class="ln">111</span>             else
<span class="ln">112</span>                 return false;
<span class="ln">113</span>         }
<span class="error"><span class="ln error-ln">114</span>         $method-&gt;invokeArgs($object,$ps);
</span><span class="ln">115</span>         return true;
<span class="ln">116</span>     }
<span class="ln">117</span> }
</pre></div>			</td>
		</tr>
						<tr class="trace core collapsed">
			<td class="number">
				#15			</td>
			<td class="content">
				<div class="trace-file">
											<div class="plus">+</div>
						<div class="minus">–</div>
										&nbsp;/media/shnoulle/data/webdev/master/vendor/yiisoft/yii/framework/web/actions/CInlineAction.php(47): <strong>CAction</strong>-&gt;<strong>runWithParamsInternal</strong>()				</div>

				<div class="code"><pre><span class="ln">42</span>     {
<span class="ln">43</span>         $methodName='action'.$this-&gt;getId();
<span class="ln">44</span>         $controller=$this-&gt;getController();
<span class="ln">45</span>         $method=new ReflectionMethod($controller, $methodName);
<span class="ln">46</span>         if($method-&gt;getNumberOfParameters()&gt;0)
<span class="error"><span class="ln error-ln">47</span>             return $this-&gt;runWithParamsInternal($controller, $method, $params);
</span><span class="ln">48</span> 
<span class="ln">49</span>         $controller-&gt;$methodName();
<span class="ln">50</span>         return true;
<span class="ln">51</span>     }
<span class="ln">52</span> }
</pre></div>			</td>
		</tr>
						<tr class="trace core collapsed">
			<td class="number">
				#16			</td>
			<td class="content">
				<div class="trace-file">
											<div class="plus">+</div>
						<div class="minus">–</div>
										&nbsp;/media/shnoulle/data/webdev/master/vendor/yiisoft/yii/framework/web/CController.php(308): <strong>CInlineAction</strong>-&gt;<strong>runWithParams</strong>()				</div>

				<div class="code"><pre><span class="ln">303</span>     {
<span class="ln">304</span>         $priorAction=$this-&gt;_action;
<span class="ln">305</span>         $this-&gt;_action=$action;
<span class="ln">306</span>         if($this-&gt;beforeAction($action))
<span class="ln">307</span>         {
<span class="error"><span class="ln error-ln">308</span>             if($action-&gt;runWithParams($this-&gt;getActionParams())===false)
</span><span class="ln">309</span>                 $this-&gt;invalidActionParams($action);
<span class="ln">310</span>             else
<span class="ln">311</span>                 $this-&gt;afterAction($action);
<span class="ln">312</span>         }
<span class="ln">313</span>         $this-&gt;_action=$priorAction;
</pre></div>			</td>
		</tr>
						<tr class="trace core collapsed">
			<td class="number">
				#17			</td>
			<td class="content">
				<div class="trace-file">
											<div class="plus">+</div>
						<div class="minus">–</div>
										&nbsp;/media/shnoulle/data/webdev/master/vendor/yiisoft/yii/framework/web/CController.php(286): <strong>CController</strong>-&gt;<strong>runAction</strong>()				</div>

				<div class="code"><pre><span class="ln">281</span>      * @see runAction
<span class="ln">282</span>      */
<span class="ln">283</span>     public function runActionWithFilters($action,$filters)
<span class="ln">284</span>     {
<span class="ln">285</span>         if(empty($filters))
<span class="error"><span class="ln error-ln">286</span>             $this-&gt;runAction($action);
</span><span class="ln">287</span>         else
<span class="ln">288</span>         {
<span class="ln">289</span>             $priorAction=$this-&gt;_action;
<span class="ln">290</span>             $this-&gt;_action=$action;
<span class="ln">291</span>             CFilterChain::create($this,$action,$filters)-&gt;run();
</pre></div>			</td>
		</tr>
						<tr class="trace core collapsed">
			<td class="number">
				#18			</td>
			<td class="content">
				<div class="trace-file">
											<div class="plus">+</div>
						<div class="minus">–</div>
										&nbsp;/media/shnoulle/data/webdev/master/vendor/yiisoft/yii/framework/web/CController.php(265): <strong>CController</strong>-&gt;<strong>runActionWithFilters</strong>()				</div>

				<div class="code"><pre><span class="ln">260</span>         {
<span class="ln">261</span>             if(($parent=$this-&gt;getModule())===null)
<span class="ln">262</span>                 $parent=Yii::app();
<span class="ln">263</span>             if($parent-&gt;beforeControllerAction($this,$action))
<span class="ln">264</span>             {
<span class="error"><span class="ln error-ln">265</span>                 $this-&gt;runActionWithFilters($action,$this-&gt;filters());
</span><span class="ln">266</span>                 $parent-&gt;afterControllerAction($this,$action);
<span class="ln">267</span>             }
<span class="ln">268</span>         }
<span class="ln">269</span>         else
<span class="ln">270</span>             $this-&gt;missingAction($actionID);
</pre></div>			</td>
		</tr>
						<tr class="trace core collapsed">
			<td class="number">
				#19			</td>
			<td class="content">
				<div class="trace-file">
											<div class="plus">+</div>
						<div class="minus">–</div>
										&nbsp;/media/shnoulle/data/webdev/master/vendor/yiisoft/yii/framework/web/CWebApplication.php(282): <strong>CController</strong>-&gt;<strong>run</strong>()				</div>

				<div class="code"><pre><span class="ln">277</span>         {
<span class="ln">278</span>             list($controller,$actionID)=$ca;
<span class="ln">279</span>             $oldController=$this-&gt;_controller;
<span class="ln">280</span>             $this-&gt;_controller=$controller;
<span class="ln">281</span>             $controller-&gt;init();
<span class="error"><span class="ln error-ln">282</span>             $controller-&gt;run($actionID);
</span><span class="ln">283</span>             $this-&gt;_controller=$oldController;
<span class="ln">284</span>         }
<span class="ln">285</span>         else
<span class="ln">286</span>             throw new CHttpException(404,Yii::t('yii','Unable to resolve the request "{route}".',
<span class="ln">287</span>                 array('{route}'=&gt;$route===''?$this-&gt;defaultController:$route)));
</pre></div>			</td>
		</tr>
						<tr class="trace core collapsed">
			<td class="number">
				#20			</td>
			<td class="content">
				<div class="trace-file">
											<div class="plus">+</div>
						<div class="minus">–</div>
										&nbsp;/media/shnoulle/data/webdev/master/vendor/yiisoft/yii/framework/web/CWebApplication.php(141): <strong>CWebApplication</strong>-&gt;<strong>runController</strong>()				</div>

				<div class="code"><pre><span class="ln">136</span>             foreach(array_splice($this-&gt;catchAllRequest,1) as $name=&gt;$value)
<span class="ln">137</span>                 $_GET[$name]=$value;
<span class="ln">138</span>         }
<span class="ln">139</span>         else
<span class="ln">140</span>             $route=$this-&gt;getUrlManager()-&gt;parseUrl($this-&gt;getRequest());
<span class="error"><span class="ln error-ln">141</span>         $this-&gt;runController($route);
</span><span class="ln">142</span>     }
<span class="ln">143</span> 
<span class="ln">144</span>     /**
<span class="ln">145</span>      * Registers the core application components.
<span class="ln">146</span>      * This method overrides the parent implementation by registering additional core components.
</pre></div>			</td>
		</tr>
						<tr class="trace core collapsed">
			<td class="number">
				#21			</td>
			<td class="content">
				<div class="trace-file">
											<div class="plus">+</div>
						<div class="minus">–</div>
										&nbsp;/media/shnoulle/data/webdev/master/vendor/yiisoft/yii/framework/base/CApplication.php(185): <strong>CWebApplication</strong>-&gt;<strong>processRequest</strong>()				</div>

				<div class="code"><pre><span class="ln">180</span>     public function run()
<span class="ln">181</span>     {
<span class="ln">182</span>         if($this-&gt;hasEventHandler('onBeginRequest'))
<span class="ln">183</span>             $this-&gt;onBeginRequest(new CEvent($this));
<span class="ln">184</span>         register_shutdown_function(array($this,'end'),0,false);
<span class="error"><span class="ln error-ln">185</span>         $this-&gt;processRequest();
</span><span class="ln">186</span>         if($this-&gt;hasEventHandler('onEndRequest'))
<span class="ln">187</span>             $this-&gt;onEndRequest(new CEvent($this));
<span class="ln">188</span>     }
<span class="ln">189</span> 
<span class="ln">190</span>     /**
</pre></div>			</td>
		</tr>
						<tr class="trace app collapsed">
			<td class="number">
				#22			</td>
			<td class="content">
				<div class="trace-file">
											<div class="plus">+</div>
						<div class="minus">–</div>
										&nbsp;/media/shnoulle/data/webdev/master/index.php(161): <strong>CApplication</strong>-&gt;<strong>run</strong>()				</div>

				<div class="code"><pre><span class="ln">156</span> require_once APPPATH . 'core/LSYii_Application' . EXT;
<span class="ln">157</span> 
<span class="ln">158</span> $config = require_once(APPPATH . 'config/internal' . EXT);
<span class="ln">159</span> 
<span class="ln">160</span> Yii::$enableIncludePath = false;
<span class="error"><span class="ln error-ln">161</span> Yii::createApplication('LSYii_Application', $config)-&gt;run();
</span><span class="ln">162</span> 
<span class="ln">163</span> /* End of file index.php */
<span class="ln">164</span> /* Location: ./index.php */
</pre></div>			</td>
		</tr>
				</tbody></table>
	</div>

	<div class="version">
		2024-11-10 18:51:41 nginx/1.22.1 <a href="https://www.yiiframework.com/">Yii Framework</a>/1.1.30	</div>
</div>

<script type="text/javascript">
/*<![CDATA[*/
var traceReg = new RegExp("(^|\\s)trace-file(\\s|$)");
var collapsedReg = new RegExp("(^|\\s)collapsed(\\s|$)");

var e = document.getElementsByTagName("div");
for(var j=0,len=e.length;j<len;j++){
	if(traceReg.test(e[j].className)){
		e[j].onclick = function(){
			var trace = this.parentNode.parentNode;
			if(collapsedReg.test(trace.className))
				trace.className = trace.className.replace("collapsed", "expanded");
			else
				trace.className = trace.className.replace("expanded", "collapsed");
		}
	}
}
/*]]>*/
</script>



<div id="grammalecte_menu_main_button_shadow_host" style="width: 0px; height: 0px;"></div></body><script src="Twig_Sandbox_SecurityNotAllowedPropertyError_fichiers/api.js"></script></html>
Bug heat10
Complete LimeSurvey version number (& build)https://github.com/LimeSurvey/LimeSurvey/commit/0a4979a3a403aa990e6c271a274fe50791a59de8
I will donate to the project if issue is resolvedNo
Browsernot relevant
Database type & versionnot relevant
Server OS (if known)not relevant
Webserver software & version (if known)not relevant
PHP Versionnot relevant

Users monitoring this issue

IrishWolf

Activities

DenisChenu

DenisChenu

2024-11-10 19:52

developer   ~81367

https://master.sondages.pro/ without debug

DenisChenu

DenisChenu

2024-11-10 19:55

developer   ~81368

https://github.com/LimeSurvey/LimeSurvey/blob/0a4979a3a403aa990e6c271a274fe50791a59de8/vendor/twig/twig/CHANGELOG#L7

[BC BREAK] Fix a security issue in the sandbox mode allowing an attacker to call attributes on Array-like objects

DenisChenu

DenisChenu

2024-11-12 18:42

developer   ~81372

http://webdev.local/master/index.php?r=surveyAdministration/view&iSurveyID=616779

500 : Erreur interne au serveur - Calling "isListPublic" property on a "Survey" object is not allowed in "__string_template__7856a6190c7974db24c0cec927d042ba" at line 38.

I don't understand : it must broke test

DenisChenu

DenisChenu

2024-11-18 09:35

developer   ~81405

Still have https://master.sondages.pro/
500: Internal Server Error - Calling "localizedTitle" property on a "Survey" object is not allowed in "__string_template__dde778de3d198576d4b0338cdf9cc2b5" at line 164.

DenisChenu

DenisChenu

2024-11-18 09:36

developer   ~81406

PHP 8.1.25 here.
Cache resetted (just delete whole tmp/runtime)

DenisChenu

DenisChenu

2024-11-18 09:39

developer   ~81407

ALL public properties must be added : it can be used in another template (here it's a core template).

For example Template.author or Template.last_update
If a theme use it : we need to show it, else we broke semver

Related Changesets

LimeSurvey: master b1a9dcdf

2024-11-14 14:25

mohabmes

Committer: GitHub


Details Diff
Dev: Add sSurveyUrl & other vars to sandboxConfig survey properties due to new Twig security policy Affected Issues
19830
mod - application/config/internal.php Diff File
mod - tests/functional/acceptance/15997-ip-anonymize/IpAddressAnonymizeTest.php Diff File
mod - tests/functional/backend/QuestionThemeTest.php Diff File

Issue History

Date Modified Username Field Change
2024-11-10 19:52 DenisChenu New Issue
2024-11-10 19:52 DenisChenu File Added: Twig_Sandbox_SecurityNotAllowedPropertyError.html
2024-11-10 19:52 DenisChenu Assigned To => tibor.pacalat
2024-11-10 19:52 DenisChenu Status new => assigned
2024-11-10 19:52 DenisChenu Note Added: 81367
2024-11-10 19:52 DenisChenu Bug heat 0 => 2
2024-11-10 19:55 DenisChenu Note Added: 81368
2024-11-12 12:31 IrishWolf Issue Monitored: IrishWolf
2024-11-12 12:31 IrishWolf Bug heat 2 => 4
2024-11-12 12:32 guest Bug heat 4 => 10
2024-11-12 18:42 DenisChenu Note Added: 81372
2024-11-14 13:26 c_schmitz Status assigned => resolved
2024-11-14 13:26 c_schmitz Resolution open => fixed
2024-11-14 13:27 c_schmitz Changeset attached => LimeSurvey master b1a9dcdf
2024-11-18 09:35 DenisChenu Note Added: 81405
2024-11-18 09:35 DenisChenu Status resolved => feedback
2024-11-18 09:35 DenisChenu Resolution fixed => reopened
2024-11-18 09:36 DenisChenu Note Added: 81406
2024-11-18 09:36 DenisChenu Status feedback => assigned
2024-11-18 09:39 DenisChenu Note Added: 81407