19830: Calling "sSurveyUrl" property on a "Survey" object is not allowed in

This bug affects 2 person(s).

ID	Project	Category	View Status	Date Submitted	Last Update

19830	Bug reports	Survey taking	public	2024-11-10 19:52	2024-11-18 09:39

Reporter	DenisChenu	Assigned To	tibor.pacalat
Priority	none	Severity	crash
Status	assigned	Resolution	reopened
Product Version	6.6.x

Summary	19830: Calling "sSurveyUrl" property on a "Survey" object is not allowed in
Description	Not able to take any survey : Home page show 500: Internal Server Error - Calling "sSurveyUrl" property on a "Survey" object is not allowed in And manage survey ; 500: Internal Server Error - Calling "isListPublic" property on a "Survey" object is not allowed in
Steps To Reproduce	Steps to reproduce Update to the last GIT version Try to do something Report done with vanilla theme on home page Expected result Work Actual result Don't work
Tags	No tags attached.
Attached Files	Twig_Sandbox_SecurityNotAllowedPropertyError.html (31,871 bytes) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" data-lt-installed="true"><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Twig\Sandbox\SecurityNotAllowedPropertyError</title> <style type="text/css"> /<![CDATA[/ html,body,div,span,applet,object,iframe,h1,h2,h3,h4,h5,h6,p,blockquote,pre,a,abbr,acronym,address,big,cite,code,del,dfn,em,font,img,ins,kbd,q,s,samp,small,strike,strong,sub,sup,tt,var,b,u,i,center,dl,dt,dd,ol,ul,li,fieldset,form,label,legend,table,caption,tbody,tfoot,thead,tr,th,td{border:0;outline:0;font-size:100%;vertical-align:baseline;background:transparent;margin:0;padding:0;} body{line-height:1;} ol,ul{list-style:none;} blockquote,q{quotes:none;} blockquote:before,blockquote:after,q:before,q:after{content:none;} :focus{outline:0;} ins{text-decoration:none;} del{text-decoration:line-through;} table{border-collapse:collapse;border-spacing:0;} body { font: normal 9pt "Verdana"; color: #000; background: #fff; } h1 { font: normal 18pt "Verdana"; color: #f00; margin-bottom: .5em; } h2 { font: normal 14pt "Verdana"; color: #800000; margin-bottom: .5em; } h3 { font: bold 11pt "Verdana"; } pre { font: normal 11pt Menlo, Consolas, "Lucida Console", Monospace; } pre span.error { display: block; background: #fce3e3; } pre span.ln { color: #999; padding-right: 0.5em; border-right: 1px solid #ccc; } pre span.error-ln { font-weight: bold; } .container { margin: 1em 4em; } .version { color: gray; font-size: 8pt; border-top: 1px solid #aaa; padding-top: 1em; margin-bottom: 1em; } .message { color: #000; padding: 1em; font-size: 11pt; background: #f3f3f3; -webkit-border-radius: 10px; -moz-border-radius: 10px; border-radius: 10px; margin-bottom: 1em; line-height: 160%; } .source { margin-bottom: 1em; } .code pre { background-color: #ffe; margin: 0.5em 0; padding: 0.5em; line-height: 125%; border: 1px solid #eee; } .source .file { margin-bottom: 1em; font-weight: bold; } .traces { margin: 2em 0; } .trace { margin: 0.5em 0; padding: 0.5em; } .trace.app { border: 1px dashed #c00; } .trace .number { text-align: right; width: 2em; padding: 0.5em; } .trace .content { padding: 0.5em; } .trace .plus, .trace .minus { display:inline; vertical-align:middle; text-align:center; border:1px solid #000; color:#000; font-size:10px; line-height:10px; margin:0; padding:0 1px; width:10px; height:10px; } .trace.collapsed .minus, .trace.expanded .plus, .trace.collapsed pre { display: none; } .trace-file { cursor: pointer; padding: 0.2em; } .trace-file:hover { background: #f0ffff; } /]]>/ </style> </head> <body> <div class="container"> <h1>Twig\Sandbox\SecurityNotAllowedPropertyError</h1> <p class="message"> Calling "sSurveyUrl" property on a "Survey" object is not allowed in "__string_template__49d60551aa67aa57298068c9a575fdfd" at line 158. </p> <div class="source"> <p class="file">/media/shnoulle/data/webdev/master/vendor/twig/twig/src/Sandbox/SecurityPolicy.php(121)</p> <div class="code"><pre><span class="ln">109</span> public function checkPropertyAllowed($obj, $property): void <span class="ln">110</span> { <span class="ln">111</span> $allowed = false; <span class="ln">112</span> foreach ($this->allowedProperties as $class => $properties) { <span class="ln">113</span> if ($obj instanceof $class && \in_array($property, \is_array($properties) ? $properties : [$properties])) { <span class="ln">114</span> $allowed = true; <span class="ln">115</span> break; <span class="ln">116</span> } <span class="ln">117</span> } <span class="ln">118</span> <span class="ln">119</span> if (!$allowed) { <span class="ln">120</span> $class = \get_class($obj); <span class="error"><span class="ln error-ln">121</span> throw new SecurityNotAllowedPropertyError(\sprintf('Calling "%s" property on a "%s" object is not allowed.', $property, $class), $class, $property); </span><span class="ln">122</span> } <span class="ln">123</span> } <span class="ln">124</span> } </pre></div> </div> <div class="traces"> <h2>Stack Trace</h2> <table style="width:100%;"> <tbody><tr class="trace app expanded"> <td class="number"> #0 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /media/shnoulle/data/webdev/master/vendor/twig/twig/src/Extension/SandboxExtension.php(110): <strong>Twig\Sandbox\SecurityPolicy</strong>-><strong>checkPropertyAllowed</strong>() </div> <div class="code"><pre><span class="ln">105</span> <span class="ln">106</span> public function checkPropertyAllowed($obj, $property, int $lineno = -1, ?Source $source = null): void <span class="ln">107</span> { <span class="ln">108</span> if ($this->isSandboxed($source)) { <span class="ln">109</span> try { <span class="error"><span class="ln error-ln">110</span> $this->policy->checkPropertyAllowed($obj, $property); </span><span class="ln">111</span> } catch (SecurityNotAllowedPropertyError $e) { <span class="ln">112</span> $e->setSourceContext($source); <span class="ln">113</span> $e->setTemplateLine($lineno); <span class="ln">114</span> <span class="ln">115</span> throw $e; </pre></div> </td> </tr> <tr class="trace app expanded"> <td class="number"> #1 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /media/shnoulle/data/webdev/master/vendor/twig/twig/src/Extension/CoreExtension.php(1576): <strong>Twig\Extension\SandboxExtension</strong>-><strong>checkPropertyAllowed</strong>() </div> <div class="code"><pre><span class="ln">1571</span> if (/* Template::METHOD_CALL / 'method' !== $type) { <span class="ln">1572</span> $arrayItem = \is_bool($item) \|\| \is_float($item) ? (int) $item : $item; <span class="ln">1573</span> <span class="ln">1574</span> if ($sandboxed && $object instanceof \ArrayAccess && !\in_array(get_class($object), self::ARRAY_LIKE_CLASSES, true)) { <span class="ln">1575</span> try { <span class="error"><span class="ln error-ln">1576</span> $env->getExtension(SandboxExtension::class)->checkPropertyAllowed($object, $arrayItem, $lineno, $source); </span><span class="ln">1577</span> } catch (SecurityNotAllowedPropertyError $propertyNotAllowedError) { <span class="ln">1578</span> goto methodCheck; <span class="ln">1579</span> } <span class="ln">1580</span> } <span class="ln">1581</span> </pre></div> </td> </tr> <tr class="trace app expanded"> <td class="number"> #2 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /media/shnoulle/data/webdev/master/tmp/runtime/twig_cache/aa/aa11a0758884fd6f3c0b22d9314a7caa.php(285): <strong>Twig\Extension\CoreExtension</strong>::<strong>getAttribute</strong>() </div> <div class="code"><pre><span class="ln">280</span> yield $this->sandbox->ensureToStringAllowed(CoreExtension::getAttribute($this->env, $this->source, CoreExtension::getAttribute($this->env, $this->source, ($context["aSurveyInfo"] ?? null), "attr", [], "any", false, false, true, 156), "surveylistrowdivbdivulli", [], "any", false, false, true, 156), 156, $this->source); <span class="ln">281</span> yield "> <span class="ln">282</span> <a <span class="ln">283</span> href=\""; <span class="ln">284</span> // line 158 <span class="error"><span class="ln error-ln">285</span> yield $this->sandbox->ensureToStringAllowed(CoreExtension::getAttribute($this->env, $this->source, $context["oSurvey"], "sSurveyUrl", [], "any", false, false, true, 158), 158, $this->source); </span><span class="ln">286</span> yield "\" <span class="ln">287</span> title=\""; <span class="ln">288</span> // line 159 <span class="ln">289</span> yield gT("Start survey"); <span class="ln">290</span> yield "\" </pre></div> </td> </tr> <tr class="trace app collapsed"> <td class="number"> #3 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /media/shnoulle/data/webdev/master/vendor/twig/twig/src/Template.php(430): <strong>__TwigTemplate_1f46ea44ded24ae89312651216062761</strong>-><strong>block_content</strong>() </div> <div class="code"><pre><span class="ln">425</span> } <span class="ln">426</span> <span class="ln">427</span> $level = ob_get_level(); <span class="ln">428</span> ob_start(); <span class="ln">429</span> <span class="error"><span class="ln error-ln">430</span> foreach ($template->$block($context, $blocks) as $data) { </span><span class="ln">431</span> if (ob_get_length()) { <span class="ln">432</span> $data = ob_get_clean().$data; <span class="ln">433</span> ob_start(); <span class="ln">434</span> } <span class="ln">435</span> </pre></div> </td> </tr> <tr class="trace app collapsed"> <td class="number"> #4 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /media/shnoulle/data/webdev/master/tmp/runtime/twig_cache/aa/aa11a0758884fd6f3c0b22d9314a7caa.php(144): <strong>Twig\Template</strong>-><strong>yieldBlock</strong>() </div> <div class="code"><pre><span class="ln">139</span> yield " <span class="ln">140</span> <span class="ln">141</span> "; <span class="ln">142</span> // line 114 <span class="ln">143</span> yield " "; <span class="error"><span class="ln error-ln">144</span> yield from $this->unwrap()->yieldBlock('content', $context, $blocks); </span><span class="ln">145</span> // line 205 <span class="ln">146</span> yield " <span class="ln">147</span> <span class="ln">148</span> "; <span class="ln">149</span> // line 208 </pre></div> </td> </tr> <tr class="trace app collapsed"> <td class="number"> #5 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /media/shnoulle/data/webdev/master/vendor/twig/twig/src/Template.php(430): <strong>__TwigTemplate_1f46ea44ded24ae89312651216062761</strong>-><strong>block_body</strong>() </div> <div class="code"><pre><span class="ln">425</span> } <span class="ln">426</span> <span class="ln">427</span> $level = ob_get_level(); <span class="ln">428</span> ob_start(); <span class="ln">429</span> <span class="error"><span class="ln error-ln">430</span> foreach ($template->$block($context, $blocks) as $data) { </span><span class="ln">431</span> if (ob_get_length()) { <span class="ln">432</span> $data = ob_get_clean().$data; <span class="ln">433</span> ob_start(); <span class="ln">434</span> } <span class="ln">435</span> </pre></div> </td> </tr> <tr class="trace app collapsed"> <td class="number"> #6 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /media/shnoulle/data/webdev/master/tmp/runtime/twig_cache/aa/aa11a0758884fd6f3c0b22d9314a7caa.php(108): <strong>Twig\Template</strong>-><strong>yieldBlock</strong>() </div> <div class="code"><pre><span class="ln">103</span> // line 105 <span class="ln">104</span> yield $this->sandbox->ensureToStringAllowed(CoreExtension::getAttribute($this->env, $this->source, CoreExtension::getAttribute($this->env, $this->source, ($context["aSurveyInfo"] ?? null), "id", [], "any", false, false, true, 105), "dynamicreload", [], "any", false, false, true, 105), 105, $this->source); <span class="ln">105</span> yield "\"> <span class="ln">106</span> "; <span class="ln">107</span> // line 106 <span class="error"><span class="ln error-ln">108</span> yield from $this->unwrap()->yieldBlock('body', $context, $blocks); </span><span class="ln">109</span> // line 211 <span class="ln">110</span> yield " </div> <span class="ln">111</span> </article> <span class="ln">112</span> "; <span class="ln">113</span> // line 213 </pre></div> </td> </tr> <tr class="trace app collapsed"> <td class="number"> #7 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /media/shnoulle/data/webdev/master/vendor/twig/twig/src/Template.php(360): <strong>__TwigTemplate_1f46ea44ded24ae89312651216062761</strong>-><strong>doDisplay</strong>() </div> <div class="code"><pre><span class="ln">355</span> } <span class="ln">356</span> <span class="ln">357</span> $level = ob_get_level(); <span class="ln">358</span> ob_start(); <span class="ln">359</span> <span class="error"><span class="ln error-ln">360</span> foreach ($this->doDisplay($context, $blocks) as $data) { </span><span class="ln">361</span> if (ob_get_length()) { <span class="ln">362</span> $data = ob_get_clean().$data; <span class="ln">363</span> ob_start(); <span class="ln">364</span> } <span class="ln">365</span> </pre></div> </td> </tr> <tr class="trace app collapsed"> <td class="number"> #8 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /media/shnoulle/data/webdev/master/vendor/twig/twig/src/Template.php(335): <strong>Twig\Template</strong>-><strong>yield</strong>() </div> <div class="code"><pre><span class="ln">330</span> } <span class="ln">331</span> <span class="ln">332</span> public function render(array $context): string <span class="ln">333</span> { <span class="ln">334</span> $content = ''; <span class="error"><span class="ln error-ln">335</span> foreach ($this->yield($context) as $data) { </span><span class="ln">336</span> $content .= $data; <span class="ln">337</span> } <span class="ln">338</span> <span class="ln">339</span> return $content; <span class="ln">340</span> } </pre></div> </td> </tr> <tr class="trace app collapsed"> <td class="number"> #9 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /media/shnoulle/data/webdev/master/vendor/twig/twig/src/TemplateWrapper.php(38): <strong>Twig\Template</strong>-><strong>render</strong>() </div> <div class="code"><pre><span class="ln">33</span> $this->template = $template; <span class="ln">34</span> } <span class="ln">35</span> <span class="ln">36</span> public function render(array $context = []): string <span class="ln">37</span> { <span class="error"><span class="ln error-ln">38</span> return $this->template->render($context); </span><span class="ln">39</span> } <span class="ln">40</span> <span class="ln">41</span> public function display(array $context = []) <span class="ln">42</span> { <span class="ln">43</span> // using func_get_args() allows to not expose the blocks argument </pre></div> </td> </tr> <tr class="trace app collapsed"> <td class="number"> #10 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /media/shnoulle/data/webdev/master/application/core/LSETwigViewRenderer.php(519): <strong>Twig\TemplateWrapper</strong>-><strong>render</strong>() </div> <div class="code"><pre><span class="ln">514</span> list($sString, $aData) = $this->getPluginsData($sString, $aData); <span class="ln">515</span> } <span class="ln">516</span> <span class="ln">517</span> // Twig rendering <span class="ln">518</span> $oTwigTemplate = $twig->createTemplate($sString); <span class="error"><span class="ln error-ln">519</span> $sHtml = $oTwigTemplate->render($aData, false); </span><span class="ln">520</span> <span class="ln">521</span> return $sHtml; <span class="ln">522</span> } <span class="ln">523</span> <span class="ln">524</span> /* </pre></div> </td> </tr> <tr class="trace app collapsed"> <td class="number"> #11 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /media/shnoulle/data/webdev/master/application/core/LSETwigViewRenderer.php(72): <strong>LSETwigViewRenderer</strong>-><strong>convertTwigToHtml</strong>() </div> <div class="code"><pre><span class="ln">67</span> { <span class="ln">68</span> $oTemplate = Template::getLastInstance(); <span class="ln">69</span> $oLayoutTemplate = $this->getTemplateForView($sLayout, $oTemplate); <span class="ln">70</span> if ($oLayoutTemplate) { <span class="ln">71</span> $line = file_get_contents($oLayoutTemplate->viewPath . $sLayout); <span class="error"><span class="ln error-ln">72</span> $sHtml = $this->convertTwigToHtml($line, $aData, $oTemplate); </span><span class="ln">73</span> $sEmHiddenInputs = LimeExpressionManager::FinishProcessPublicPage(true); <span class="ln">74</span> if ($sEmHiddenInputs) { <span class="ln">75</span> $sHtml = str_replace( <span class="ln">76</span> "<!-- emScriptsAndHiddenInputs -->", <span class="ln">77</span> "<!-- emScriptsAndHiddenInputs updated -->\n" . </pre></div> </td> </tr> <tr class="trace app collapsed"> <td class="number"> #12 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /media/shnoulle/data/webdev/master/application/controllers/SurveysController.php(63): <strong>LSETwigViewRenderer</strong>-><strong>renderTemplateFromFile</strong>() </div> <div class="code"><pre><span class="ln">58</span> // maintenance mode <span class="ln">59</span> $sMaintenanceMode = getGlobalSetting('maintenancemode'); <span class="ln">60</span> if ($sMaintenanceMode == 'hard' \|\| $sMaintenanceMode == 'soft') { <span class="ln">61</span> Yii::app()->twigRenderer->renderTemplateFromFile("layout_maintenance.twig", array('aSurveyInfo' => $aData), false); <span class="ln">62</span> } else { <span class="error"><span class="ln error-ln">63</span> Yii::app()->twigRenderer->renderTemplateFromFile("layout_survey_list.twig", array('aSurveyInfo' => $aData), false); </span><span class="ln">64</span> } <span class="ln">65</span> } <span class="ln">66</span> <span class="ln">67</span> /** <span class="ln">68</span> * System error : only 404 error are managed here (2016-11-29) </pre></div> </td> </tr> <tr class="trace core collapsed"> <td class="number"> #13 </td> <td class="content"> <div class="trace-file">  unknown(0): <strong>SurveysController</strong>-><strong>actionPublicList</strong>() </div> </td> </tr> <tr class="trace core collapsed"> <td class="number"> #14 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /media/shnoulle/data/webdev/master/vendor/yiisoft/yii/framework/web/actions/CAction.php(114): <strong>ReflectionMethod</strong>-><strong>invokeArgs</strong>() </div> <div class="code"><pre><span class="ln">109</span> elseif($param->isDefaultValueAvailable()) <span class="ln">110</span> $ps[]=$param->getDefaultValue(); <span class="ln">111</span> else <span class="ln">112</span> return false; <span class="ln">113</span> } <span class="error"><span class="ln error-ln">114</span> $method->invokeArgs($object,$ps); </span><span class="ln">115</span> return true; <span class="ln">116</span> } <span class="ln">117</span> } </pre></div> </td> </tr> <tr class="trace core collapsed"> <td class="number"> #15 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /media/shnoulle/data/webdev/master/vendor/yiisoft/yii/framework/web/actions/CInlineAction.php(47): <strong>CAction</strong>-><strong>runWithParamsInternal</strong>() </div> <div class="code"><pre><span class="ln">42</span> { <span class="ln">43</span> $methodName='action'.$this->getId(); <span class="ln">44</span> $controller=$this->getController(); <span class="ln">45</span> $method=new ReflectionMethod($controller, $methodName); <span class="ln">46</span> if($method->getNumberOfParameters()>0) <span class="error"><span class="ln error-ln">47</span> return $this->runWithParamsInternal($controller, $method, $params); </span><span class="ln">48</span> <span class="ln">49</span> $controller->$methodName(); <span class="ln">50</span> return true; <span class="ln">51</span> } <span class="ln">52</span> } </pre></div> </td> </tr> <tr class="trace core collapsed"> <td class="number"> #16 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /media/shnoulle/data/webdev/master/vendor/yiisoft/yii/framework/web/CController.php(308): <strong>CInlineAction</strong>-><strong>runWithParams</strong>() </div> <div class="code"><pre><span class="ln">303</span> { <span class="ln">304</span> $priorAction=$this->_action; <span class="ln">305</span> $this->_action=$action; <span class="ln">306</span> if($this->beforeAction($action)) <span class="ln">307</span> { <span class="error"><span class="ln error-ln">308</span> if($action->runWithParams($this->getActionParams())===false) </span><span class="ln">309</span> $this->invalidActionParams($action); <span class="ln">310</span> else <span class="ln">311</span> $this->afterAction($action); <span class="ln">312</span> } <span class="ln">313</span> $this->_action=$priorAction; </pre></div> </td> </tr> <tr class="trace core collapsed"> <td class="number"> #17 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /media/shnoulle/data/webdev/master/vendor/yiisoft/yii/framework/web/CController.php(286): <strong>CController</strong>-><strong>runAction</strong>() </div> <div class="code"><pre><span class="ln">281</span> * @see runAction <span class="ln">282</span> / <span class="ln">283</span> public function runActionWithFilters($action,$filters) <span class="ln">284</span> { <span class="ln">285</span> if(empty($filters)) <span class="error"><span class="ln error-ln">286</span> $this->runAction($action); </span><span class="ln">287</span> else <span class="ln">288</span> { <span class="ln">289</span> $priorAction=$this->_action; <span class="ln">290</span> $this->_action=$action; <span class="ln">291</span> CFilterChain::create($this,$action,$filters)->run(); </pre></div> </td> </tr> <tr class="trace core collapsed"> <td class="number"> #18 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /media/shnoulle/data/webdev/master/vendor/yiisoft/yii/framework/web/CController.php(265): <strong>CController</strong>-><strong>runActionWithFilters</strong>() </div> <div class="code"><pre><span class="ln">260</span> { <span class="ln">261</span> if(($parent=$this->getModule())===null) <span class="ln">262</span> $parent=Yii::app(); <span class="ln">263</span> if($parent->beforeControllerAction($this,$action)) <span class="ln">264</span> { <span class="error"><span class="ln error-ln">265</span> $this->runActionWithFilters($action,$this->filters()); </span><span class="ln">266</span> $parent->afterControllerAction($this,$action); <span class="ln">267</span> } <span class="ln">268</span> } <span class="ln">269</span> else <span class="ln">270</span> $this->missingAction($actionID); </pre></div> </td> </tr> <tr class="trace core collapsed"> <td class="number"> #19 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /media/shnoulle/data/webdev/master/vendor/yiisoft/yii/framework/web/CWebApplication.php(282): <strong>CController</strong>-><strong>run</strong>() </div> <div class="code"><pre><span class="ln">277</span> { <span class="ln">278</span> list($controller,$actionID)=$ca; <span class="ln">279</span> $oldController=$this->_controller; <span class="ln">280</span> $this->_controller=$controller; <span class="ln">281</span> $controller->init(); <span class="error"><span class="ln error-ln">282</span> $controller->run($actionID); </span><span class="ln">283</span> $this->_controller=$oldController; <span class="ln">284</span> } <span class="ln">285</span> else <span class="ln">286</span> throw new CHttpException(404,Yii::t('yii','Unable to resolve the request "{route}".', <span class="ln">287</span> array('{route}'=>$route===''?$this->defaultController:$route))); </pre></div> </td> </tr> <tr class="trace core collapsed"> <td class="number"> #20 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /media/shnoulle/data/webdev/master/vendor/yiisoft/yii/framework/web/CWebApplication.php(141): <strong>CWebApplication</strong>-><strong>runController</strong>() </div> <div class="code"><pre><span class="ln">136</span> foreach(array_splice($this->catchAllRequest,1) as $name=>$value) <span class="ln">137</span> $_GET[$name]=$value; <span class="ln">138</span> } <span class="ln">139</span> else <span class="ln">140</span> $route=$this->getUrlManager()->parseUrl($this->getRequest()); <span class="error"><span class="ln error-ln">141</span> $this->runController($route); </span><span class="ln">142</span> } <span class="ln">143</span> <span class="ln">144</span> /* <span class="ln">145</span> * Registers the core application components. <span class="ln">146</span> * This method overrides the parent implementation by registering additional core components. </pre></div> </td> </tr> <tr class="trace core collapsed"> <td class="number"> #21 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /media/shnoulle/data/webdev/master/vendor/yiisoft/yii/framework/base/CApplication.php(185): <strong>CWebApplication</strong>-><strong>processRequest</strong>() </div> <div class="code"><pre><span class="ln">180</span> public function run() <span class="ln">181</span> { <span class="ln">182</span> if($this->hasEventHandler('onBeginRequest')) <span class="ln">183</span> $this->onBeginRequest(new CEvent($this)); <span class="ln">184</span> register_shutdown_function(array($this,'end'),0,false); <span class="error"><span class="ln error-ln">185</span> $this->processRequest(); </span><span class="ln">186</span> if($this->hasEventHandler('onEndRequest')) <span class="ln">187</span> $this->onEndRequest(new CEvent($this)); <span class="ln">188</span> } <span class="ln">189</span> <span class="ln">190</span> /** </pre></div> </td> </tr> <tr class="trace app collapsed"> <td class="number"> #22 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /media/shnoulle/data/webdev/master/index.php(161): <strong>CApplication</strong>-><strong>run</strong>() </div> <div class="code"><pre><span class="ln">156</span> require_once APPPATH . 'core/LSYii_Application' . EXT; <span class="ln">157</span> <span class="ln">158</span> $config = require_once(APPPATH . 'config/internal' . EXT); <span class="ln">159</span> <span class="ln">160</span> Yii::$enableIncludePath = false; <span class="error"><span class="ln error-ln">161</span> Yii::createApplication('LSYii_Application', $config)->run(); </span><span class="ln">162</span> <span class="ln">163</span> /* End of file index.php / <span class="ln">164</span> / Location: ./index.php / </pre></div> </td> </tr> </tbody></table> </div> <div class="version"> 2024-11-10 18:51:41 nginx/1.22.1 <a href="https://www.yiiframework.com/">Yii Framework</a>/1.1.30 </div> </div> <script type="text/javascript"> /<![CDATA[/ var traceReg = new RegExp("(^\|\\s)trace-file(\\s\|$)"); var collapsedReg = new RegExp("(^\|\\s)collapsed(\\s\|$)"); var e = document.getElementsByTagName("div"); for(var j=0,len=e.length;j<len;j++){ if(traceReg.test(e[j].className)){ e[j].onclick = function(){ var trace = this.parentNode.parentNode; if(collapsedReg.test(trace.className)) trace.className = trace.className.replace("collapsed", "expanded"); else trace.className = trace.className.replace("expanded", "collapsed"); } } } /]]>*/ </script> <div id="grammalecte_menu_main_button_shadow_host" style="width: 0px; height: 0px;"></div></body><script src="Twig_Sandbox_SecurityNotAllowedPropertyError_fichiers/api.js"></script></html> Twig_Sandbox_SecurityNotAllowedPropertyError.html (31,871 bytes)

Bug heat	10
Complete LimeSurvey version number (& build)	https://github.com/LimeSurvey/LimeSurvey/commit/0a4979a3a403aa990e6c271a274fe50791a59de8
I will donate to the project if issue is resolved	No
Browser	not relevant
Database type & version	not relevant
Server OS (if known)	not relevant
Webserver software & version (if known)	not relevant
PHP Version	not relevant

User List	IrishWolf

DenisChenu 2024-11-10 19:52 developer ~81367	https://master.sondages.pro/ without debug

DenisChenu 2024-11-10 19:55 developer ~81368	https://github.com/LimeSurvey/LimeSurvey/blob/0a4979a3a403aa990e6c271a274fe50791a59de8/vendor/twig/twig/CHANGELOG#L7 [BC BREAK] Fix a security issue in the sandbox mode allowing an attacker to call attributes on Array-like objects

DenisChenu 2024-11-12 18:42 developer ~81372	http://webdev.local/master/index.php?r=surveyAdministration/view&iSurveyID=616779 500 : Erreur interne au serveur - Calling "isListPublic" property on a "Survey" object is not allowed in "__string_template__7856a6190c7974db24c0cec927d042ba" at line 38. I don't understand : it must broke test

DenisChenu 2024-11-18 09:35 developer ~81405	Still have https://master.sondages.pro/ 500: Internal Server Error - Calling "localizedTitle" property on a "Survey" object is not allowed in "__string_template__dde778de3d198576d4b0338cdf9cc2b5" at line 164.

DenisChenu 2024-11-18 09:36 developer ~81406	PHP 8.1.25 here. Cache resetted (just delete whole tmp/runtime)

DenisChenu 2024-11-18 09:39 developer ~81407	ALL public properties must be added : it can be used in another template (here it's a core template). For example Template.author or Template.last_update If a theme use it : we need to show it, else we broke semver

LimeSurvey: master b1a9dcdf 2024-11-14 14:25 mohabmes Committer: GitHub Details Diff	Dev: Add sSurveyUrl & other vars to sandboxConfig survey properties due to new Twig security policy	Affected Issues 19830
	mod - application/config/internal.php	Diff File
	mod - tests/functional/acceptance/15997-ip-anonymize/IpAddressAnonymizeTest.php	Diff File
	mod - tests/functional/backend/QuestionThemeTest.php	Diff File

Date Modified	Username	Field	Change
2024-11-10 19:52	DenisChenu	New Issue
2024-11-10 19:52	DenisChenu	File Added: Twig_Sandbox_SecurityNotAllowedPropertyError.html
2024-11-10 19:52	DenisChenu	Assigned To	=> tibor.pacalat
2024-11-10 19:52	DenisChenu	Status	new => assigned
2024-11-10 19:52	DenisChenu	Note Added: 81367
2024-11-10 19:52	DenisChenu	Bug heat	0 => 2
2024-11-10 19:55	DenisChenu	Note Added: 81368
2024-11-12 12:31	IrishWolf	Issue Monitored: IrishWolf
2024-11-12 12:31	IrishWolf	Bug heat	2 => 4
2024-11-12 12:32	guest	Bug heat	4 => 10
2024-11-12 18:42	DenisChenu	Note Added: 81372
2024-11-14 13:26	c_schmitz	Status	assigned => resolved
2024-11-14 13:26	c_schmitz	Resolution	open => fixed
2024-11-14 13:27	c_schmitz	Changeset attached	=> LimeSurvey master b1a9dcdf
2024-11-18 09:35	DenisChenu	Note Added: 81405
2024-11-18 09:35	DenisChenu	Status	resolved => feedback
2024-11-18 09:35	DenisChenu	Resolution	fixed => reopened
2024-11-18 09:36	DenisChenu	Note Added: 81406
2024-11-18 09:36	DenisChenu	Status	feedback => assigned
2024-11-18 09:39	DenisChenu	Note Added: 81407

View Issue Details

Steps to reproduce

Expected result

Actual result

Users monitoring this issue

Activities

Related Changesets

Issue History