Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: allowing for direct injection (Issue #8)
  • Loading branch information
sroehrl committed Oct 21, 2021
1 parent 7c7d176 commit 4a2c957
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 15 deletions.
10 changes: 4 additions & 6 deletions Template.php
Expand Up @@ -24,12 +24,10 @@ static function embrace($content, $array)
$saveClosing = preg_quote(TemplateFunctions::getDelimiters()[1]);
foreach ($flatArray as $flatKey => $value){
$flatKey = preg_replace('/[\/\.\\\+\*\?\[\^\]\$\(\)\{\}\=\!\<\>\|\:\-]/', "\\\\$0",$flatKey);
if(is_callable($value)){
TemplateFunctions::registerClosure($flatKey,$value);
} else {
$content = preg_replace("/$saveOpening\s*$flatKey\s*$saveClosing/", $value, $content);
$content = TemplateFunctions::tryClosures($flatArray, $content, false);
}
// PATCHED: direct function injection is not allowed anymore
$content = preg_replace("/$saveOpening\s*$flatKey\s*$saveClosing/", $value, $content);
$content = TemplateFunctions::tryClosures($flatArray, $content, false);

}

return $content;
Expand Down
8 changes: 4 additions & 4 deletions TemplateFunctions.php
Expand Up @@ -103,7 +103,7 @@ private static function retrieveClosurePattern($pure, $closureName)
if (!$pure) {
$pattern .= preg_quote(self::$registeredDelimiters[0]) . "\s*";
}
$pattern .= "$closureName\(([a-z0-9,\.\s]+)\)";
$pattern .= "$closureName\(([a-z0-9,\.\s_]+)\)";
if (!$pure) {
$pattern .= "\s*" . preg_quote(self::$registeredDelimiters[1]);
}
Expand Down Expand Up @@ -201,7 +201,6 @@ private static function evaluateTypedCondition(array $flatArray, $expression): b
foreach ($flatArray as $key => $value) {
$pattern = '/' . $key . '([^.]|$)/';
if (preg_match($pattern, $expression, $matches)) {

switch (gettype($flatArray[$key])) {
case 'boolean':
$expression = str_replace($key, $flatArray[$key] ? 'true' : 'false', $expression);
Expand Down Expand Up @@ -241,11 +240,12 @@ static function nIf($content, $array)
return $content;
}

$array = Template::flattenArray($array);
// important: first try closures
$array = array_merge(self::$registeredClosures, $array);
foreach ($hits as $hit) {
$expression = $hit->getAttribute('n-if');
$array = Template::flattenArray($array);
$bool = self::evaluateTypedCondition($array, $expression);

if (!$bool) {
$hit->parentNode->removeChild($hit);
} else {
Expand Down
3 changes: 1 addition & 2 deletions composer.json
@@ -1,13 +1,12 @@
{
"name": "neoan3-apps/template",
"description": "neoan3 minimal template engine",
"version": "1.1.0",
"version": "1.1.1",
"license": "MIT",
"autoload": {
"psr-4": {
"Neoan3\\Apps\\": "./"
}

},
"require": {
"ext-openssl": "*",
Expand Down
6 changes: 3 additions & 3 deletions tests/TemplateTest.php
Expand Up @@ -113,11 +113,11 @@ public function testEmbraceTypes()
public function testCallback()
{
$array = [
'myFunc' => function ($x) {
return strtoupper($x);
},
'some' => 'value'
];
TemplateFunctions::registerClosure('myFunc',function($x){
return strtoupper($x);
});
$t = Template::embraceFromFile('callback.html', $array);

$this->assertStringContainsString('<p>VALUE</p>', $t);
Expand Down

0 comments on commit 4a2c957

Please sign in to comment.