Browse code

fixed sandbox mode when used with inheritance (closes #656)

The checkSecurity() method must be called by each template as we are not
using inheritance.

Fabien Potencier authored on 17/03/2012 12:51:26
Showing 4 changed files
... ...
@@ -1,5 +1,6 @@
1 1
 * 1.7.0 (2012-XX-XX)
2 2
 
3
+ * fixed sandbox mode when used with inheritance
3 4
  * added preserveKeys support for the slice filter
4 5
  * fixed the date filter when a DateTime instance is passed with a specific timezone
5 6
  * added a trim filter
... ...
@@ -33,9 +33,7 @@ class Twig_Node_SandboxedModule extends Twig_Node_Module
33 33
 
34 34
     protected function compileDisplayBody(Twig_Compiler $compiler)
35 35
     {
36
-        if (null === $this->getNode('parent')) {
37
-            $compiler->write("\$this->checkSecurity();\n");
38
-        }
36
+        $compiler->write("\$this->checkSecurity();\n");
39 37
 
40 38
         parent::compileDisplayBody($compiler);
41 39
     }
... ...
@@ -54,16 +52,6 @@ class Twig_Node_SandboxedModule extends Twig_Node_Module
54 52
             ->write(!$this->usedFunctions ? "array()\n" : "array('".implode('\', \'', $this->usedFunctions)."')\n")
55 53
             ->outdent()
56 54
             ->write(");\n")
57
-        ;
58
-
59
-        if (null !== $this->getNode('parent')) {
60
-            $compiler
61
-                ->raw("\n")
62
-                ->write("\$this->parent->checkSecurity();\n")
63
-            ;
64
-        }
65
-
66
-        $compiler
67 55
             ->outdent()
68 56
             ->write("}\n\n")
69 57
         ;
... ...
@@ -31,9 +31,21 @@ class Twig_Tests_Extension_SandboxTest extends PHPUnit_Framework_TestCase
31 31
             '1_basic7' => '{{ cycle(["foo","bar"], 1) }}',
32 32
             '1_basic8' => '{{ obj.getfoobar }}{{ obj.getFooBar }}',
33 33
             '1_basic'  => '{% if obj.foo %}{{ obj.foo|upper }}{% endif %}',
34
+            '1_layout' => '{% block content %}{% endblock %}',
35
+            '1_child'  => '{% extends "1_layout" %}{% block content %}{{ "a"|json_encode }}{% endblock %}',
34 36
         );
35 37
     }
36 38
 
39
+    /**
40
+     * @expectedException        Twig_Sandbox_SecurityError
41
+     * @expectedExceptionMessage Filter "json_encode" is not allowed.
42
+     */
43
+    public function testSandboxWithInheritance()
44
+    {
45
+        $twig = $this->getEnvironment(true, array(), self::$templates, array('block'));
46
+        $twig->loadTemplate('1_child')->render(array());
47
+    }
48
+
37 49
     public function testSandboxGloballySet()
38 50
     {
39 51
         $twig = $this->getEnvironment(false, array(), self::$templates);
... ...
@@ -113,6 +113,7 @@ class __TwigTemplate_be925a7b06dda0dfdbd18a1509f7eb34 extends Twig_Template
113 113
 
114 114
     protected function doDisplay(array \$context, array \$blocks = array())
115 115
     {
116
+        \$this->checkSecurity();
116 117
         \$this->getParent(\$context)->display(\$context, array_merge(\$this->blocks, \$blocks));
117 118
     }
118 119
 
... ...
@@ -122,8 +123,6 @@ class __TwigTemplate_be925a7b06dda0dfdbd18a1509f7eb34 extends Twig_Template
122 123
             array('for'),
123 124
             array('cycle')
124 125
         );
125
-
126
-        \$this->parent->checkSecurity();
127 126
     }
128 127
 
129 128
     public function getTemplateName()