From 50e73b20cb2cf21c06042cdb4ccd7393b8808385 Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Sat, 17 Mar 2012 13:51:26 +0100 Subject: [PATCH] fixed sandbox mode when used with inheritance (closes #656) The checkSecurity() method must be called by each template as we are not using inheritance. --- CHANGELOG | 1 + lib/Twig/Node/SandboxedModule.php | 14 +------------- test/Twig/Tests/Extension/SandboxTest.php | 12 ++++++++++++ test/Twig/Tests/Node/SandboxedModuleTest.php | 3 +-- 4 files changed, 15 insertions(+), 15 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 735dd68..536ec25 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,6 @@ * 1.7.0 (2012-XX-XX) + * fixed sandbox mode when used with inheritance * added preserveKeys support for the slice filter * fixed the date filter when a DateTime instance is passed with a specific timezone * added a trim filter diff --git a/lib/Twig/Node/SandboxedModule.php b/lib/Twig/Node/SandboxedModule.php index 36d9f19..655efa3 100644 --- a/lib/Twig/Node/SandboxedModule.php +++ b/lib/Twig/Node/SandboxedModule.php @@ -33,9 +33,7 @@ class Twig_Node_SandboxedModule extends Twig_Node_Module protected function compileDisplayBody(Twig_Compiler $compiler) { - if (null === $this->getNode('parent')) { - $compiler->write("\$this->checkSecurity();\n"); - } + $compiler->write("\$this->checkSecurity();\n"); parent::compileDisplayBody($compiler); } @@ -54,16 +52,6 @@ class Twig_Node_SandboxedModule extends Twig_Node_Module ->write(!$this->usedFunctions ? "array()\n" : "array('".implode('\', \'', $this->usedFunctions)."')\n") ->outdent() ->write(");\n") - ; - - if (null !== $this->getNode('parent')) { - $compiler - ->raw("\n") - ->write("\$this->parent->checkSecurity();\n") - ; - } - - $compiler ->outdent() ->write("}\n\n") ; diff --git a/test/Twig/Tests/Extension/SandboxTest.php b/test/Twig/Tests/Extension/SandboxTest.php index f2b4b03..abb7aa7 100644 --- a/test/Twig/Tests/Extension/SandboxTest.php +++ b/test/Twig/Tests/Extension/SandboxTest.php @@ -31,9 +31,21 @@ class Twig_Tests_Extension_SandboxTest extends PHPUnit_Framework_TestCase '1_basic7' => '{{ cycle(["foo","bar"], 1) }}', '1_basic8' => '{{ obj.getfoobar }}{{ obj.getFooBar }}', '1_basic' => '{% if obj.foo %}{{ obj.foo|upper }}{% endif %}', + '1_layout' => '{% block content %}{% endblock %}', + '1_child' => '{% extends "1_layout" %}{% block content %}{{ "a"|json_encode }}{% endblock %}', ); } + /** + * @expectedException Twig_Sandbox_SecurityError + * @expectedExceptionMessage Filter "json_encode" is not allowed. + */ + public function testSandboxWithInheritance() + { + $twig = $this->getEnvironment(true, array(), self::$templates, array('block')); + $twig->loadTemplate('1_child')->render(array()); + } + public function testSandboxGloballySet() { $twig = $this->getEnvironment(false, array(), self::$templates); diff --git a/test/Twig/Tests/Node/SandboxedModuleTest.php b/test/Twig/Tests/Node/SandboxedModuleTest.php index a24857b..f1966be 100644 --- a/test/Twig/Tests/Node/SandboxedModuleTest.php +++ b/test/Twig/Tests/Node/SandboxedModuleTest.php @@ -113,6 +113,7 @@ class __TwigTemplate_be925a7b06dda0dfdbd18a1509f7eb34 extends Twig_Template protected function doDisplay(array \$context, array \$blocks = array()) { + \$this->checkSecurity(); \$this->getParent(\$context)->display(\$context, array_merge(\$this->blocks, \$blocks)); } @@ -122,8 +123,6 @@ class __TwigTemplate_be925a7b06dda0dfdbd18a1509f7eb34 extends Twig_Template array('for'), array('cycle') ); - - \$this->parent->checkSecurity(); } public function getTemplateName() -- 1.7.2.5