Sandbox array bug & fix

[soso-zz]

Situation:

An unexpected behavior regarding arrays, in Twig_Template::getAttribute() if a referenced object is an array then security checking is skipped. It is allright, but in addition to checking with is_array() Twig also checks for objects that implement ArrayAccess and if so then is considered an array and security checking is again skipped.

Issue:

It doesn't seem a good behavior, because there are a lot of objects that implement ArrayAccess and a security policy must be enforced on them. For example I found about this behavior while feeding the template with some active record objects and the base AR class implements ArrayAccess to allow access for model attributes using array like syntax. But still the security policy needs to be enforced especially since AR objects are tightly linked to the database and I don't want users to have any ideas...

Resolution:

I think the best way is to differentiate between native arrays (check with is_array()) and objects that implement ArrayAccess. If it is later, then security policy must be enforced.

[fabpot]

I think the current behavior is the right one. If an object implements ArrayAccess, it means that it must behave like any other array in PHP and as far as the sandbox is concerned.

So, I don't want to make a difference between real arrays and objects that implement ArrayAccess. The only possibility is to add protection for array items, which seems overkill.

[CarsonF]

I just ran into this myself with Pimple, which is also a global, app. Neither ArrayAccess objects nor globals are checked for with the sandbox.

Consequently, even with the sandbox enabled, this is still allowed through:

{{ app.secret_key }}