From 713ba52e2620626d2ab33374c89cfcf7ce91bbfb Mon Sep 17 00:00:00 2001 From: Petr Soukup Date: Thu, 24 Aug 2017 15:47:44 +0200 Subject: [PATCH 1/4] validate eval input from plural forms --- src/Translator.php | 3 +++ tests/TranslatorTest.php | 17 +++++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/src/Translator.php b/src/Translator.php index 147f0c2b..83110686 100644 --- a/src/Translator.php +++ b/src/Translator.php @@ -238,6 +238,9 @@ protected function getPluralIndex($domain, $n, $fallback) */ private static function fixTerseIfs($code, $inner = false) { + if(preg_match('~[^\s0-9n<>|&=\-+%?:();\$]~', str_replace('return ', '', $code))) { + throw new \InvalidArgumentException('Invalid Plural form: ' . $code); + } /* * (?P[^?]+) Capture everything up to ? as 'expression' * \? ? diff --git a/tests/TranslatorTest.php b/tests/TranslatorTest.php index fae24aa2..e1817834 100755 --- a/tests/TranslatorTest.php +++ b/tests/TranslatorTest.php @@ -97,6 +97,23 @@ public function testPluralFunction() $this->assertEquals('beaucoup de commentaires', n__('One comment', '%s comments', 3, ['%s' => 'beaucoup de'])); } + public function testPluralInjection() + { + $translations = new Translations(); + $translations->setPluralForms(2,'fuu_call()'); + $translations[] = + (new Translation(null, 'One comment', '%s comments')) + ->setTranslation('Un commentaire') + ->setPluralTranslations(['%s commentaires']); + $t = new Translator(); + $t->loadTranslations($translations); + + $t->register(); + + $this->expectException(\InvalidArgumentException::class); + n__('One comment', '%s comments', 3); + } + public function testContextFunction() { $translations = new Translations(); From b038b9c5f15bbd968b9a548c0e97369e632ad6ab Mon Sep 17 00:00:00 2001 From: Petr Soukup Date: Thu, 24 Aug 2017 15:52:53 +0200 Subject: [PATCH 2/4] code style --- src/Translator.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Translator.php b/src/Translator.php index 83110686..992ddd56 100644 --- a/src/Translator.php +++ b/src/Translator.php @@ -238,7 +238,7 @@ protected function getPluralIndex($domain, $n, $fallback) */ private static function fixTerseIfs($code, $inner = false) { - if(preg_match('~[^\s0-9n<>|&=\-+%?:();\$]~', str_replace('return ', '', $code))) { + if (preg_match('~[^\s0-9n<>|&=\-+%?:();\$]~', str_replace('return ', '', $code))) { throw new \InvalidArgumentException('Invalid Plural form: ' . $code); } /* From 329e15f393397c2f659030a4a5e40b289d89186e Mon Sep 17 00:00:00 2001 From: Petr Soukup Date: Thu, 24 Aug 2017 16:01:24 +0200 Subject: [PATCH 3/4] fix test on PHP 5.4 --- tests/TranslatorTest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/TranslatorTest.php b/tests/TranslatorTest.php index e1817834..81e90aea 100755 --- a/tests/TranslatorTest.php +++ b/tests/TranslatorTest.php @@ -110,7 +110,7 @@ public function testPluralInjection() $t->register(); - $this->expectException(\InvalidArgumentException::class); + $this->setExpectedException(\InvalidArgumentException::class); n__('One comment', '%s comments', 3); } From 575445174cc0171a9f9386234f14078a53287d00 Mon Sep 17 00:00:00 2001 From: Petr Soukup Date: Thu, 24 Aug 2017 16:12:02 +0200 Subject: [PATCH 4/4] fix test on PHP 5.4 --- tests/TranslatorTest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/TranslatorTest.php b/tests/TranslatorTest.php index 81e90aea..c6a0d2b9 100755 --- a/tests/TranslatorTest.php +++ b/tests/TranslatorTest.php @@ -110,7 +110,7 @@ public function testPluralInjection() $t->register(); - $this->setExpectedException(\InvalidArgumentException::class); + $this->setExpectedException('InvalidArgumentException'); n__('One comment', '%s comments', 3); }