2011-10-05 06:22:53 +02:00
< ? php
/*
* This file is part of Twig .
*
2018-05-10 12:24:53 +02:00
* ( c ) Fabien Potencier
2011-10-05 06:22:53 +02:00
*
* For the full copyright and license information , please view the LICENSE
* file that was distributed with this source code .
*/
/**
* Represents a security policy which need to be enforced when sandbox mode is enabled .
*
2018-05-10 12:24:53 +02:00
* @ final
*
2013-08-01 21:20:12 +02:00
* @ author Fabien Potencier < fabien @ symfony . com >
2011-10-05 06:22:53 +02:00
*/
class Twig_Sandbox_SecurityPolicy implements Twig_Sandbox_SecurityPolicyInterface
{
protected $allowedTags ;
protected $allowedFilters ;
protected $allowedMethods ;
protected $allowedProperties ;
protected $allowedFunctions ;
public function __construct ( array $allowedTags = array (), array $allowedFilters = array (), array $allowedMethods = array (), array $allowedProperties = array (), array $allowedFunctions = array ())
{
$this -> allowedTags = $allowedTags ;
$this -> allowedFilters = $allowedFilters ;
$this -> setAllowedMethods ( $allowedMethods );
$this -> allowedProperties = $allowedProperties ;
$this -> allowedFunctions = $allowedFunctions ;
}
public function setAllowedTags ( array $tags )
{
$this -> allowedTags = $tags ;
}
public function setAllowedFilters ( array $filters )
{
$this -> allowedFilters = $filters ;
}
public function setAllowedMethods ( array $methods )
{
$this -> allowedMethods = array ();
foreach ( $methods as $class => $m ) {
$this -> allowedMethods [ $class ] = array_map ( 'strtolower' , is_array ( $m ) ? $m : array ( $m ));
}
}
public function setAllowedProperties ( array $properties )
{
$this -> allowedProperties = $properties ;
}
public function setAllowedFunctions ( array $functions )
{
$this -> allowedFunctions = $functions ;
}
public function checkSecurity ( $tags , $filters , $functions )
{
foreach ( $tags as $tag ) {
if ( ! in_array ( $tag , $this -> allowedTags )) {
2018-05-10 12:24:53 +02:00
throw new Twig_Sandbox_SecurityNotAllowedTagError ( sprintf ( 'Tag "%s" is not allowed.' , $tag ), $tag );
2011-10-05 06:22:53 +02:00
}
}
foreach ( $filters as $filter ) {
if ( ! in_array ( $filter , $this -> allowedFilters )) {
2018-05-10 12:24:53 +02:00
throw new Twig_Sandbox_SecurityNotAllowedFilterError ( sprintf ( 'Filter "%s" is not allowed.' , $filter ), $filter );
2011-10-05 06:22:53 +02:00
}
}
foreach ( $functions as $function ) {
if ( ! in_array ( $function , $this -> allowedFunctions )) {
2018-05-10 12:24:53 +02:00
throw new Twig_Sandbox_SecurityNotAllowedFunctionError ( sprintf ( 'Function "%s" is not allowed.' , $function ), $function );
2011-10-05 06:22:53 +02:00
}
}
}
public function checkMethodAllowed ( $obj , $method )
{
if ( $obj instanceof Twig_TemplateInterface || $obj instanceof Twig_Markup ) {
return true ;
}
$allowed = false ;
$method = strtolower ( $method );
foreach ( $this -> allowedMethods as $class => $methods ) {
if ( $obj instanceof $class ) {
$allowed = in_array ( $method , $methods );
break ;
}
}
if ( ! $allowed ) {
2018-05-10 12:24:53 +02:00
$class = get_class ( $obj );
throw new Twig_Sandbox_SecurityNotAllowedMethodError ( sprintf ( 'Calling "%s" method on a "%s" object is not allowed.' , $method , $class ), $class , $method );
2011-10-05 06:22:53 +02:00
}
}
public function checkPropertyAllowed ( $obj , $property )
{
$allowed = false ;
foreach ( $this -> allowedProperties as $class => $properties ) {
if ( $obj instanceof $class ) {
$allowed = in_array ( $property , is_array ( $properties ) ? $properties : array ( $properties ));
break ;
}
}
if ( ! $allowed ) {
2018-05-10 12:24:53 +02:00
$class = get_class ( $obj );
throw new Twig_Sandbox_SecurityNotAllowedPropertyError ( sprintf ( 'Calling "%s" property on a "%s" object is not allowed.' , $property , $class ), $class , $property );
2011-10-05 06:22:53 +02:00
}
}
}
2018-05-10 12:24:53 +02:00
class_alias ( 'Twig_Sandbox_SecurityPolicy' , 'Twig\Sandbox\SecurityPolicy' , false );
