In a sandbox, an attacker can call __toString()
on an object even if the __toString()
method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance).
The sandbox mode now checks the __toString()
method call on all objects.
The patch for this issue is available here for the 3.11.x branch, and here for the 3.x branch.
We would like to thank Jamie Schouten for reporting the issue and Fabien Potencier for providing the fix.
{ "nvd_published_at": "2024-11-06T20:15:05Z", "cwe_ids": [ "CWE-668" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2024-11-06T19:52:31Z" }