CVE-2022-0323 In 2.14.1, improper neutralization of special elements used in a mustache/mustache template engine was fixed.

CVE-2022-0323 In 2.14.1, improper neutralization of special elements used in a mustache/mustache template engine was fixed.

In this post, we’ll discuss why this was fixed, how to fix it, and how to keep your project updated. If you’re using a version of Packagist before 2.14.1, you may have noticed that mustache/mustache will complain if you use a special tag such as {{subst:i18n}} . In other words, if you have a tag such as {{subst:i18n|en}} in a mustache template and try to publish it, Packagist will complain with a warning: This is because of an issue with the way mustache handles special elements. Prior to 2.14.1, mustache/mustache would incorrectly treat these elements as being a part of the mustache syntax. As a result, these elements would be improperly ignored when parsing the mustache template. A quick fix was to simply upgrade to a newer version of Packagist.

What’s the Problem?

Prior to 2.14.1, mustache/mustache would incorrectly treat these elements as being a part of the mustache syntax. As a result, these elements would be improperly ignored when parsing the mustache template. For example, a special tag such as {{subst:i18n}} would not be parsed by mustache/mustache and also not compiled properly into your project.

What is Packagist?

Packagist is a Composer package repository for PHP. Composer allows you to install, update and delete packages of PHP code in your project. With Composer, you can use patterns like git submodules, composer require , and more.

Why did Mustache fix this?

The reason that mustache/mustache made this fix is because they found a security issue in the way it handled special elements. The issue was fixed in version 2.14.1. This is an example of how important it is to stay updated with your project's dependencies and have a plan for updating them if necessary.
What does this mean for me?
If you are using mustache to build your own project, you'll need to upgrade to a newer version of Packagist in order for your project to work properly. If you're using mustache in another package that depends on it, then it's up to you whether or not you want to fix the issue yourself (if you don't already have a plan for fixing this problem) or wait until mustache releases an update that fixes the bug so that your package will work again.

Why was this fixed?

As a result of this issue, some users were having their mustache templates published without the intended effect. This may have caused problems in other parts of the template. This issue is fixed in 2.14.1 and will no longer be an issue for those using that version or newer versions of Packagist.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe