hdabo_sf: vendor/twig/lib/Twig/Sandbox/SecurityPolicy.php@d672f7dd74dc (annotated)

0 7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	1	<?php
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	2
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	3	/*
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	4	* This file is part of Twig.
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	5	*
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	6	* (c) 2009 Fabien Potencier
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	7	*
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	8	* For the full copyright and license information, please view the LICENSE
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	9	* file that was distributed with this source code.
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	10	*/
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	11
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	12	/**
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	13	* Represents a security policy which need to be enforced when sandbox mode is enabled.
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	14	*
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	15	* @package twig
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	16	* @author Fabien Potencier <fabien@symfony.com>
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	17	*/
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	18	class Twig_Sandbox_SecurityPolicy implements Twig_Sandbox_SecurityPolicyInterface
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	19	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	20	protected $allowedTags;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	21	protected $allowedFilters;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	22	protected $allowedMethods;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	23	protected $allowedProperties;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	24	protected $allowedFunctions;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	25
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	26	public function __construct(array $allowedTags = array(), array $allowedFilters = array(), array $allowedMethods = array(), array $allowedProperties = array(), array $allowedFunctions = array())
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	27	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	28	$this->allowedTags = $allowedTags;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	29	$this->allowedFilters = $allowedFilters;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	30	$this->setAllowedMethods($allowedMethods);
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	31	$this->allowedProperties = $allowedProperties;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	32	$this->allowedFunctions = $allowedFunctions;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	33	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	34
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	35	public function setAllowedTags(array $tags)
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	36	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	37	$this->allowedTags = $tags;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	38	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	39
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	40	public function setAllowedFilters(array $filters)
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	41	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	42	$this->allowedFilters = $filters;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	43	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	44
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	45	public function setAllowedMethods(array $methods)
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	46	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	47	$this->allowedMethods = array();
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	48	foreach ($methods as $class => $m) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	49	$this->allowedMethods[$class] = array_map('strtolower', is_array($m) ? $m : array($m));
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	50	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	51	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	52
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	53	public function setAllowedProperties(array $properties)
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	54	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	55	$this->allowedProperties = $properties;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	56	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	57
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	58	public function setAllowedFunctions(array $functions)
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	59	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	60	$this->allowedFunctions = $functions;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	61	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	62
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	63	public function checkSecurity($tags, $filters, $functions)
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	64	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	65	foreach ($tags as $tag) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	66	if (!in_array($tag, $this->allowedTags)) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	67	throw new Twig_Sandbox_SecurityError(sprintf('Tag "%s" is not allowed.', $tag));
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	68	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	69	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	70
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	71	foreach ($filters as $filter) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	72	if (!in_array($filter, $this->allowedFilters)) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	73	throw new Twig_Sandbox_SecurityError(sprintf('Filter "%s" is not allowed.', $filter));
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	74	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	75	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	76
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	77	foreach ($functions as $function) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	78	if (!in_array($function, $this->allowedFunctions)) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	79	throw new Twig_Sandbox_SecurityError(sprintf('Function "%s" is not allowed.', $function));
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	80	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	81	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	82	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	83
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	84	public function checkMethodAllowed($obj, $method)
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	85	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	86	if ($obj instanceof Twig_TemplateInterface \|\| $obj instanceof Twig_Markup) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	87	return true;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	88	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	89
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	90	$allowed = false;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	91	$method = strtolower($method);
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	92	foreach ($this->allowedMethods as $class => $methods) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	93	if ($obj instanceof $class) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	94	$allowed = in_array($method, $methods);
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	95
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	96	break;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	97	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	98	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	99
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	100	if (!$allowed) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	101	throw new Twig_Sandbox_SecurityError(sprintf('Calling "%s" method on a "%s" object is not allowed.', $method, get_class($obj)));
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	102	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	103	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	104
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	105	public function checkPropertyAllowed($obj, $property)
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	106	{
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	107	$allowed = false;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	108	foreach ($this->allowedProperties as $class => $properties) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	109	if ($obj instanceof $class) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	110	$allowed = in_array($property, is_array($properties) ? $properties : array($properties));
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	111
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	112	break;
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	113	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	114	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	115
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	116	if (!$allowed) {
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	117	throw new Twig_Sandbox_SecurityError(sprintf('Calling "%s" property on a "%s" object is not allowed.', $property, get_class($obj)));
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	118	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	119	}
7f95f8617b0b first commit ymh <ymh.work@gmail.com> parents: diff changeset	120	}

author	cavaliet
	Mon, 07 Jul 2014 17:23:47 +0200
changeset 122	d672f7dd74dc
parent 0	7f95f8617b0b
permissions	-rwxr-xr-x