Fix sandbox for methods

twigphp · Jan 25, 2021 · fb3f27c · fb3f27c
1 parent 15aa49e
commit fb3f27c
Showing 1 changed file with 28 additions and 3 deletions.
diff --git a/src/Template.php b/src/Template.php
@@ -15,6 +15,8 @@
 use Twig\Error\Error;
 use Twig\Error\LoaderError;
 use Twig\Error\RuntimeError;
+use Twig\Extension\SandboxExtension;
+use Twig\Sandbox\SecurityError;
 
 /**
  * Default base class for compiled templates.
@@ -526,6 +528,7 @@ final protected function getContext($context, $item, $ignoreStrictCheck = false)
      * @return mixed The attribute value, or a Boolean when $isDefinedTest is true, or null when the attribute is not set and $ignoreStrictCheck is true
      *
      * @throws RuntimeError if the attribute does not exist and Twig is running in strict mode and $isDefinedTest is false
+     * @throws SecurityError if the attribute is not allowed
      *
      * @internal
      */
@@ -601,17 +604,23 @@ protected function getAttribute($object, $item, array $arguments = [], $type = s
         }
 
         // object property
+        $propertySandboxException = null;
         if (self::METHOD_CALL !== $type && !$object instanceof self) { // \Twig\Template does not have public properties, and we don't want to allow access to internal ones
             if (isset($object->$item) || \array_key_exists((string) $item, (array) $object)) {
                 if ($isDefinedTest) {
                     return true;
                 }
 
                 if ($this->env->hasExtension('\Twig\Extension\SandboxExtension')) {
-                    $this->env->getExtension('\Twig\Extension\SandboxExtension')->checkPropertyAllowed($object, $item);
+                    try {
+                        $this->env->getExtension('\Twig\Extension\SandboxExtension')->checkPropertyAllowed($object, $item);
+                    } catch (SecurityError $propertySandboxException) {
+                    }
                 }
 
-                return $object->$item;
+                if (null === $propertySandboxException) {
+                    return $object->$item;
+                }
             }
         }
 
@@ -678,6 +687,10 @@ protected function getAttribute($object, $item, array $arguments = [], $type = s
                 return false;
             }
 
+            if (null !== $propertySandboxException) {
+                throw $propertySandboxException;
+            }
+
             if ($ignoreStrictCheck || !$this->env->isStrictVariables()) {
                 return;
             }
@@ -690,7 +703,15 @@ protected function getAttribute($object, $item, array $arguments = [], $type = s
         }
 
         if ($this->env->hasExtension('\Twig\Extension\SandboxExtension')) {
-            $this->env->getExtension('\Twig\Extension\SandboxExtension')->checkMethodAllowed($object, $method);
+            try {
+                $this->env->getExtension(SandboxExtension::class)->checkMethodAllowed($object, $call ? '__call' : $method);
+            } catch (SecurityError $e) {
+                if ($call && null !== $propertySandboxException) {
+                    throw $propertySandboxException;
+                }
+
+                throw $e;
+            }
         }
 
         // Some objects throw exceptions when they have __call, and the method we try
@@ -702,6 +723,10 @@ protected function getAttribute($object, $item, array $arguments = [], $type = s
                 $ret = \call_user_func_array([$object, $method], $arguments);
             }
         } catch (\BadMethodCallException $e) {
+            if ($call && null !== $propertySandboxException) {
+                throw $propertySandboxException;
+            }
+
             if ($call && ($ignoreStrictCheck || !$this->env->isStrictVariables())) {
                 return;
             }