Browse code
fixed sandbox mode when used with inheritance (closes #656)
The checkSecurity() method must be called by each template as we are not
using inheritance.
Fabien Potencier authored on 17/03/2012 12:51:26
Showing 4 changed files
- CHANGELOG
- lib/Twig/Node/SandboxedModule.php
- test/Twig/Tests/Extension/SandboxTest.php
- test/Twig/Tests/Node/SandboxedModuleTest.php
| ... | ... |
@@ -33,9 +33,7 @@ class Twig_Node_SandboxedModule extends Twig_Node_Module |
| 33 | 33 |
|
| 34 | 34 |
protected function compileDisplayBody(Twig_Compiler $compiler) |
| 35 | 35 |
{
|
| 36 |
- if (null === $this->getNode('parent')) {
|
|
| 37 |
- $compiler->write("\$this->checkSecurity();\n");
|
|
| 38 |
- } |
|
| 36 |
+ $compiler->write("\$this->checkSecurity();\n");
|
|
| 39 | 37 |
|
| 40 | 38 |
parent::compileDisplayBody($compiler); |
| 41 | 39 |
} |
| ... | ... |
@@ -54,16 +52,6 @@ class Twig_Node_SandboxedModule extends Twig_Node_Module |
| 54 | 52 |
->write(!$this->usedFunctions ? "array()\n" : "array('".implode('\', \'', $this->usedFunctions)."')\n")
|
| 55 | 53 |
->outdent() |
| 56 | 54 |
->write(");\n")
|
| 57 |
- ; |
|
| 58 |
- |
|
| 59 |
- if (null !== $this->getNode('parent')) {
|
|
| 60 |
- $compiler |
|
| 61 |
- ->raw("\n")
|
|
| 62 |
- ->write("\$this->parent->checkSecurity();\n")
|
|
| 63 |
- ; |
|
| 64 |
- } |
|
| 65 |
- |
|
| 66 |
- $compiler |
|
| 67 | 55 |
->outdent() |
| 68 | 56 |
->write("}\n\n")
|
| 69 | 57 |
; |
| ... | ... |
@@ -31,9 +31,21 @@ class Twig_Tests_Extension_SandboxTest extends PHPUnit_Framework_TestCase |
| 31 | 31 |
'1_basic7' => '{{ cycle(["foo","bar"], 1) }}',
|
| 32 | 32 |
'1_basic8' => '{{ obj.getfoobar }}{{ obj.getFooBar }}',
|
| 33 | 33 |
'1_basic' => '{% if obj.foo %}{{ obj.foo|upper }}{% endif %}',
|
| 34 |
+ '1_layout' => '{% block content %}{% endblock %}',
|
|
| 35 |
+ '1_child' => '{% extends "1_layout" %}{% block content %}{{ "a"|json_encode }}{% endblock %}',
|
|
| 34 | 36 |
); |
| 35 | 37 |
} |
| 36 | 38 |
|
| 39 |
+ /** |
|
| 40 |
+ * @expectedException Twig_Sandbox_SecurityError |
|
| 41 |
+ * @expectedExceptionMessage Filter "json_encode" is not allowed. |
|
| 42 |
+ */ |
|
| 43 |
+ public function testSandboxWithInheritance() |
|
| 44 |
+ {
|
|
| 45 |
+ $twig = $this->getEnvironment(true, array(), self::$templates, array('block'));
|
|
| 46 |
+ $twig->loadTemplate('1_child')->render(array());
|
|
| 47 |
+ } |
|
| 48 |
+ |
|
| 37 | 49 |
public function testSandboxGloballySet() |
| 38 | 50 |
{
|
| 39 | 51 |
$twig = $this->getEnvironment(false, array(), self::$templates); |
| ... | ... |
@@ -113,6 +113,7 @@ class __TwigTemplate_be925a7b06dda0dfdbd18a1509f7eb34 extends Twig_Template |
| 113 | 113 |
|
| 114 | 114 |
protected function doDisplay(array \$context, array \$blocks = array()) |
| 115 | 115 |
{
|
| 116 |
+ \$this->checkSecurity(); |
|
| 116 | 117 |
\$this->getParent(\$context)->display(\$context, array_merge(\$this->blocks, \$blocks)); |
| 117 | 118 |
} |
| 118 | 119 |
|
| ... | ... |
@@ -122,8 +123,6 @@ class __TwigTemplate_be925a7b06dda0dfdbd18a1509f7eb34 extends Twig_Template |
| 122 | 123 |
array('for'),
|
| 123 | 124 |
array('cycle')
|
| 124 | 125 |
); |
| 125 |
- |
|
| 126 |
- \$this->parent->checkSecurity(); |
|
| 127 | 126 |
} |
| 128 | 127 |
|
| 129 | 128 |
public function getTemplateName() |