added compilation checks to avoid misuses of the sandbox tag
authorFabien Potencier <fabien.potencier@gmail.com>
Tue, 3 Apr 2012 07:03:41 +0000 (09:03 +0200)
committerFabien Potencier <fabien.potencier@gmail.com>
Tue, 3 Apr 2012 07:03:41 +0000 (09:03 +0200)
CHANGELOG
lib/Twig/NodeVisitor/Sandbox.php
test/Twig/Tests/Fixtures/tags/sandbox/not_valid1.test [new file with mode: 0644]
test/Twig/Tests/Fixtures/tags/sandbox/not_valid2.rst [new file with mode: 0644]
test/Twig/Tests/Fixtures/tags/sandbox/simple.test [new file with mode: 0644]
test/Twig/Tests/integrationTest.php

index ab6f198..6e2e2a3 100644 (file)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,6 @@
 * 1.6.5 (2012-XX-XX)
 
+ * added compilation checks to avoid misuses of the sandbox tag
  * fixed filesystem loader freshness logic for high traffic websites
 
 * 1.6.4 (2012-04-02)
index 1957f8a..61ef0c6 100644 (file)
@@ -32,6 +32,19 @@ class Twig_NodeVisitor_Sandbox implements Twig_NodeVisitorInterface
      */
     public function enterNode(Twig_NodeInterface $node, Twig_Environment $env)
     {
+        // in a sandbox tag, only include tags are allowed
+        if ($node instanceof Twig_Node_Sandbox && !$node->getNode('body') instanceof Twig_Node_Include) {
+            foreach ($node->getNode('body') as $n) {
+                if ($n instanceof Twig_Node_Text && ctype_space($n->getAttribute('data'))) {
+                    continue;
+                }
+
+                if (!$n instanceof Twig_Node_Include) {
+                    throw new Twig_Error_Syntax('Only "include" tags are allowed within a "sandbox" section', $n->getLine());
+                }
+            }
+        }
+
         if ($node instanceof Twig_Node_Module) {
             $this->inAModule = true;
             $this->tags = array();
diff --git a/test/Twig/Tests/Fixtures/tags/sandbox/not_valid1.test b/test/Twig/Tests/Fixtures/tags/sandbox/not_valid1.test
new file mode 100644 (file)
index 0000000..683c59a
--- /dev/null
@@ -0,0 +1,11 @@
+--TEST--
+sandbox tag
+--TEMPLATE--
+{%- sandbox %}
+    {%- include "foo.twig" %}
+    a
+{%- endsandbox %}
+--TEMPLATE(foo.twig)--
+foo
+--EXCEPTION--
+Twig_Error_Syntax: Only "include" tags are allowed within a "sandbox" section in "index.twig" at line 4
diff --git a/test/Twig/Tests/Fixtures/tags/sandbox/not_valid2.rst b/test/Twig/Tests/Fixtures/tags/sandbox/not_valid2.rst
new file mode 100644 (file)
index 0000000..3dcfa88
--- /dev/null
@@ -0,0 +1,14 @@
+--TEST--
+sandbox tag
+--TEMPLATE--
+{%- sandbox %}
+    {%- include "foo.twig" %}
+
+    {% if 1 %}
+        {%- include "foo.twig" %}
+    {% endif %}
+{%- endsandbox %}
+--TEMPLATE(foo.twig)--
+foo
+--EXCEPTION--
+Twig_Error_Syntax: Only "include" tags are allowed within a "sandbox" section in "index.twig" at line 5
diff --git a/test/Twig/Tests/Fixtures/tags/sandbox/simple.test b/test/Twig/Tests/Fixtures/tags/sandbox/simple.test
new file mode 100644 (file)
index 0000000..de20f3d
--- /dev/null
@@ -0,0 +1,22 @@
+--TEST--
+sandbox tag
+--TEMPLATE--
+{%- sandbox %}
+    {%- include "foo.twig" %}
+{%- endsandbox %}
+
+{%- sandbox %}
+    {%- include "foo.twig" %}
+    {%- include "foo.twig" %}
+{%- endsandbox %}
+
+{%- sandbox %}{% include "foo.twig" %}{% endsandbox %}
+--TEMPLATE(foo.twig)--
+foo
+--DATA--
+return array()
+--EXPECT--
+foo
+foo
+foo
+foo
index 5a34418..cb60a82 100644 (file)
@@ -68,6 +68,8 @@ class Twig_Tests_IntegrationTest extends PHPUnit_Framework_TestCase
             $twig = new Twig_Environment($loader, $config);
             $twig->addExtension(new TestExtension());
             $twig->addExtension(new Twig_Extension_Debug());
+            $policy = new Twig_Sandbox_SecurityPolicy(array(), array(), array(), array(), array());
+            $twig->addExtension(new Twig_Extension_Sandbox($policy, false));
 
             try {
                 $template = $twig->loadTemplate('index.twig');