Global sandbox policy should be optional in Twig Enviroment [#2600632]

The Globally Sandbox option in TwigEnvironment is allways TRUE, and should be optional.

Change this:

    $policy = new TwigSandboxPolicy();
    $sandbox = new \Twig_Extension_Sandbox($policy, TRUE);
    $this->addExtension($sandbox);

To this:

    $policy = new TwigSandboxPolicy();
    $sandbox = new \Twig_Extension_Sandbox($policy, $options['global_sandbox']);
    $this->addExtension($sandbox);

Comment	File	Size	Author
#5	drupal-global-sandbox-policy-should-be-optional-in-twig-2600632-5.patch	1.3 KB	mayeco
#5
#4	drupal-global-sandbox-policy-should-be-optional-in-twig-2600632-4.patch	1.48 KB	mayeco
#4
#2	drupal-twig_globally_sandbox_optional-2600632.patch	1.2 KB	mayeco
#2

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

24 October 2015 at 20:55

mayeco created an issue. See original summary.

Comment #2

mayeco CreditAttribution: mayeco as a volunteer commented 24 October 2015 at 21:01

File	Size
drupal-twig_globally_sandbox_optional-2600632.patch	1.2 KB

Comment #3

star-szr

he/him

English

CreditAttribution: star-szr as a volunteer commented 24 October 2015 at 21:03

Title:	Glogally sandbox should in Twig Enviroment is not optional	» Global sandbox policy should be optional in Twig Enviroment
Status:	Active	» Postponed (maintainer needs more info)

Thanks for the report. Why should we do this? It seems like global_sandbox would be a non-standard Twig option which would be really nice to avoid.

Note that you can override some things in your settings file, see https://www.drupal.org/node/2595803.

Comment #4

mayeco CreditAttribution: mayeco as a volunteer commented 25 October 2015 at 01:42

File	Size
drupal-global-sandbox-policy-should-be-optional-in-twig-2600632-4.patch	1.48 KB

Totally agree this is not a Twig option, is a Twig Extension option, what do you think of do it like this:

  extensions:
    sandbox:
      global: true

Comment #5

mayeco CreditAttribution: mayeco as a volunteer commented 25 October 2015 at 01:46

File	Size
drupal-global-sandbox-policy-should-be-optional-in-twig-2600632-5.patch	1.3 KB

1 file was hidden/shown/deleted

File	Size
drupal-global-sandbox-policy-should-be-optional-in-twig-2600632-4.patch	1.48 KB

Comment #6

star-szr

he/him

English

CreditAttribution: star-szr as a volunteer commented 25 October 2015 at 01:52

I would still like to know why you need/want this :) do you have a use case or example of why you want to turn this off?

Comment #7

mayeco CreditAttribution: mayeco as a volunteer commented 25 October 2015 at 02:01

Cottser, sure yes, the reason is this: https://www.drupal.org/node/2600378

Comment #8

star-szr

he/him

English

CreditAttribution: star-szr as a volunteer commented 25 October 2015 at 03:08

I would rather do #2595805: [Followup] Implement the Twig Sandbox Policy as a service collection instead, allowing to disable the sandbox policy altogether can be dangerous. That's why we did #2513266: Twig templates can call delete() on entities and other objects.

Comment #9

mayeco CreditAttribution: mayeco as a volunteer commented 25 October 2015 at 17:21

I added the methods needed for webprofiler to work in twig_sandbox_whitelisted_prefixes and twig_sandbox_whitelisted_methods and now is working, we can close this now thank you, https://www.drupal.org/node/2600378#comment-10489768