Can't generate Twig template cache via the 'template.cache' in the config.php

Miguel Jacq

unread,

Jun 21, 2021, 9:45:09 PM6/21/21

to SimpleSAMLphp

Hi,

I'm running SimpleSAML on an environment whereby PHP will have an extension [1] to disallow the use of eval() for security reasons.

It turns out that Twig uses eval() as a last resort when it is unable to load its templates from cache; you can read more about that here [2].

SimpleSAMLphp does not use Twig template caching by default, meaning that indeed, I hit this error on either an SP or an IDP using SimpleSAMLPHP:

Jun 22 01:35:30 b8397ee50592 simplesamlphp[23168]: PHP Fatal error: DISEVAL - Use of eval is forbidden in /path/to/simplesamlphp/vendor/twig/twig/src/Environment.php(497) : eval()'d code on line 15

The config.php and documentation suggest that Twig template caching can be turned on by setting 'template.cache' to an absolute path that PHP/the webserver can write to. However, when I do so, no cache data is generated, and the issue does not go away. It's not a permission issue or anything - simply no change in behavior whatsoever.

It's strange, I looked at the source code [3] and I can see how $cache is being set. But if I change that variable $cache to be a hardcoded string, it *still* doesn't seem to set cache.

Is it maybe not setting cache the right way anymore (whereas maybe in an earlier version of Twig it worked that way?) Does anyone else have this working as per the notes in the config.php ? I've tested it in SimpleSAML 1.17 and 1.19 with no luck

Thanks for any assistance!

[1] https://github.com/mk-j/PHP_diseval_extension

[2] https://github.com/twigphp/Twig/issues/2428

[3] https://github.com/simplesamlphp/simplesamlphp/blob/5a705f4dba77b8aa37d3600313b49f6c970b1ef4/lib/SimpleSAML/XHTML/Template.php#L269-L290

Miguel Jacq

unread,

Jun 21, 2021, 10:02:27 PM6/21/21

to SimpleSAMLphp

By the way, if I edit vendor/twig/twig/src/Environment.php and hardcode the cache path there, it works perfectly.

//$this->setCache($options['cache']);

$this->setCache('/tmp');

The cache data is generated, disallowing eval() works great.

So, it feels like something in SimpleSAML not actually properly passing the template.cache setting down to Twig_Environment, somehow, despite me having set 'template.cache' => '/tmp' in config.php

Thanks again if anyone can help me figure this out.

Miguel Jacq

unread,

Jun 21, 2021, 10:21:44 PM6/21/21

to SimpleSAMLphp

Sorry, please ignore this. I think it was due to collision with the app itself which also uses Twig.. it needs to set cache too when instantiating its Twig settings. I think it was overriding it as being false even if it was set in SimpleSAML.

Seems to be working now (regardless of whether I set template.cache to true or false in SimpleSAML, apparently)

Reply all

Reply to author

Forward