From 6f45fcf519039a35bfd473a72849fa41033d9a48 Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Sun, 4 Mar 2018 10:12:13 -0800 Subject: [PATCH] fixed .. (range operator) in sandbox policy --- CHANGELOG | 2 +- lib/Twig/NodeVisitor/Sandbox.php | 5 +++++ test/Twig/Tests/Extension/SandboxTest.php | 19 +++++++++++++++++++ 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/CHANGELOG b/CHANGELOG index 7f36cb67b12..768657d4ec0 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,6 @@ * 1.35.2 (2018-XX-XX) - * n/a + * fixed .. (range operator) in sandbox policy * 1.35.1 (2018-03-02) diff --git a/lib/Twig/NodeVisitor/Sandbox.php b/lib/Twig/NodeVisitor/Sandbox.php index b631b29d4d1..71aa4f029b4 100644 --- a/lib/Twig/NodeVisitor/Sandbox.php +++ b/lib/Twig/NodeVisitor/Sandbox.php @@ -48,6 +48,11 @@ protected function doEnterNode(Twig_Node $node, Twig_Environment $env) $this->functions[$node->getAttribute('name')] = $node; } + // the .. operator is equivalent to the range() function + if ($node instanceof Twig_Node_Expression_Binary_Range && !isset($this->functions['range'])) { + $this->functions['range'] = $node; + } + // wrap print to check __toString() calls if ($node instanceof Twig_Node_Print) { return new Twig_Node_SandboxedPrint($node->getNode('expr'), $node->getTemplateLine(), $node->getNodeTag()); diff --git a/test/Twig/Tests/Extension/SandboxTest.php b/test/Twig/Tests/Extension/SandboxTest.php index 9c3f0e78657..e268115c24a 100644 --- a/test/Twig/Tests/Extension/SandboxTest.php +++ b/test/Twig/Tests/Extension/SandboxTest.php @@ -36,6 +36,7 @@ protected function setUp() '1_layout' => '{% block content %}{% endblock %}', '1_child' => "{% extends \"1_layout\" %}\n{% block content %}\n{{ \"a\"|json_encode }}\n{% endblock %}", '1_include' => '{{ include("1_basic1", sandboxed=true) }}', + '1_range_operator' => '{{ (1..2)[0] }}', ); } @@ -143,6 +144,18 @@ public function testSandboxUnallowedFunction() } } + public function testSandboxUnallowedRangeOperator() + { + $twig = $this->getEnvironment(true, array(), self::$templates); + try { + $twig->loadTemplate('1_range_operator')->render(self::$params); + $this->fail('Sandbox throws a SecurityError exception if the unallowed range operator is called'); + } catch (Twig_Sandbox_SecurityError $e) { + $this->assertInstanceOf('Twig_Sandbox_SecurityNotAllowedFunctionError', $e, 'Exception should be an instance of Twig_Sandbox_SecurityNotAllowedFunctionError'); + $this->assertEquals('range', $e->getFunctionName(), 'Exception should be raised on the "range" function'); + } + } + public function testSandboxAllowMethodFoo() { $twig = $this->getEnvironment(true, array(), self::$templates, array(), array(), array('FooObject' => 'foo')); @@ -191,6 +204,12 @@ public function testSandboxAllowFunction() $this->assertEquals('bar', $twig->loadTemplate('1_basic7')->render(self::$params), 'Sandbox allow some functions'); } + public function testSandboxAllowRangeOperator() + { + $twig = $this->getEnvironment(true, array(), self::$templates, array(), array(), array(), array(), array('range')); + $this->assertEquals('1', $twig->loadTemplate('1_range_operator')->render(self::$params), 'Sandbox allow the range operator'); + } + public function testSandboxAllowFunctionsCaseInsensitive() { foreach (array('getfoobar', 'getFoobar', 'getFooBar') as $name) {