A specially constructed input could bypass the sandbox

Moderate

dg published GHSA-36m2-8rhx-f36j

Jan 4, 2022

Package

latte/latte (Composer)

Affected versions

>= 2.8.0, < 2.8.8 >= 2.9.0, < 2.9.6 >= 2.10.0, < 2.10.8

Patched versions

2.10.8, 2.9.6., 2.8.8

Description

Impact

The problem affects users who use the sandbox in Latte and templates from untrusted sources.

Patches

Sandbox first appeared in Latte 2.8.0. The issue is fixed in the versions 2.8.8, 2.9.6 and 2.10.8.

References

The issues were discovered by

JinYiTong (https://github.com/JinYiTong)
赵钰迪 20212010122@fudan.edu.cn