Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Security fixes for v1.0.469
Introduces sandbox policy to block extendable methods allowing arbitrary code execution
- Loading branch information
Showing
3 changed files
with
67 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| <?php namespace System\Twig; | ||
|
|
||
| use Twig\Markup; | ||
| use Twig\Template; | ||
| use Twig\Sandbox\SecurityPolicyInterface; | ||
| use Twig\Sandbox\SecurityNotAllowedMethodError; | ||
| use Twig\Sandbox\SecurityNotAllowedPropertyError; | ||
|
|
||
| /** | ||
| * SecurityPolicy globally blocks accessibility of certain methods and properties. | ||
| * | ||
| * @package october\system | ||
| * @author Alexey Bobkov, Samuel Georges | ||
| */ | ||
| final class SecurityPolicy implements SecurityPolicyInterface | ||
| { | ||
| protected $blockedProperties = []; | ||
|
|
||
| protected $blockedMethods = [ | ||
| 'addDynamicMethod', | ||
| 'addDynamicProperty' | ||
| ]; | ||
|
|
||
| public function __construct() | ||
| { | ||
| $this->setBlockedMethods($this->blockedMethods); | ||
| } | ||
|
|
||
| public function setBlockedMethods(array $methods) | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
LukeTowers
Contributor
|
||
| { | ||
| foreach ($this->blockedMethods as $i => $m) { | ||
| $this->blockedMethods[$i] = strtr($m, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'); | ||
| } | ||
| } | ||
|
|
||
| public function checkSecurity($tags, $filters, $functions) | ||
| { | ||
| } | ||
|
|
||
| public function checkMethodAllowed($obj, $method) | ||
| { | ||
| if ($obj instanceof Template || $obj instanceof Markup) { | ||
| return; | ||
| } | ||
|
|
||
| $blockedMethod = strtr($method, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'); | ||
|
|
||
| if (in_array($blockedMethod, $this->blockedMethods)) { | ||
| $class = get_class($obj); | ||
| throw new SecurityNotAllowedMethodError(sprintf('Calling "%s" method on a "%s" object is blocked.', $method, $class), $class, $method); | ||
| } | ||
| } | ||
|
|
||
| public function checkPropertyAllowed($obj, $property) | ||
| { | ||
| if (in_array($property, $this->blockedProperties)) { | ||
| $class = get_class($obj); | ||
| throw new SecurityNotAllowedPropertyError(sprintf('Calling "%s" property on a "%s" object is blocked.', $property, $class), $class, $property); | ||
| } | ||
| } | ||
| } | ||
The argument
$methodsis not used inside this functions body? Is this on purpose? @daftspunk