]>
Commit | Line | Data |
---|---|---|
a4565e88 NL |
1 | <?php |
2 | ||
3 | /* | |
4 | * This file is part of Twig. | |
5 | * | |
6 | * (c) 2009 Fabien Potencier | |
7 | * | |
8 | * For the full copyright and license information, please view the LICENSE | |
9 | * file that was distributed with this source code. | |
10 | */ | |
11 | ||
12 | /** | |
13 | * Represents a security policy which need to be enforced when sandbox mode is enabled. | |
14 | * | |
15 | * @author Fabien Potencier <fabien@symfony.com> | |
16 | */ | |
17 | class Twig_Sandbox_SecurityPolicy implements Twig_Sandbox_SecurityPolicyInterface | |
18 | { | |
19 | protected $allowedTags; | |
20 | protected $allowedFilters; | |
21 | protected $allowedMethods; | |
22 | protected $allowedProperties; | |
23 | protected $allowedFunctions; | |
24 | ||
25 | public function __construct(array $allowedTags = array(), array $allowedFilters = array(), array $allowedMethods = array(), array $allowedProperties = array(), array $allowedFunctions = array()) | |
26 | { | |
27 | $this->allowedTags = $allowedTags; | |
28 | $this->allowedFilters = $allowedFilters; | |
29 | $this->setAllowedMethods($allowedMethods); | |
30 | $this->allowedProperties = $allowedProperties; | |
31 | $this->allowedFunctions = $allowedFunctions; | |
32 | } | |
33 | ||
34 | public function setAllowedTags(array $tags) | |
35 | { | |
36 | $this->allowedTags = $tags; | |
37 | } | |
38 | ||
39 | public function setAllowedFilters(array $filters) | |
40 | { | |
41 | $this->allowedFilters = $filters; | |
42 | } | |
43 | ||
44 | public function setAllowedMethods(array $methods) | |
45 | { | |
46 | $this->allowedMethods = array(); | |
47 | foreach ($methods as $class => $m) { | |
48 | $this->allowedMethods[$class] = array_map('strtolower', is_array($m) ? $m : array($m)); | |
49 | } | |
50 | } | |
51 | ||
52 | public function setAllowedProperties(array $properties) | |
53 | { | |
54 | $this->allowedProperties = $properties; | |
55 | } | |
56 | ||
57 | public function setAllowedFunctions(array $functions) | |
58 | { | |
59 | $this->allowedFunctions = $functions; | |
60 | } | |
61 | ||
62 | public function checkSecurity($tags, $filters, $functions) | |
63 | { | |
64 | foreach ($tags as $tag) { | |
65 | if (!in_array($tag, $this->allowedTags)) { | |
66 | throw new Twig_Sandbox_SecurityError(sprintf('Tag "%s" is not allowed.', $tag)); | |
67 | } | |
68 | } | |
69 | ||
70 | foreach ($filters as $filter) { | |
71 | if (!in_array($filter, $this->allowedFilters)) { | |
72 | throw new Twig_Sandbox_SecurityError(sprintf('Filter "%s" is not allowed.', $filter)); | |
73 | } | |
74 | } | |
75 | ||
76 | foreach ($functions as $function) { | |
77 | if (!in_array($function, $this->allowedFunctions)) { | |
78 | throw new Twig_Sandbox_SecurityError(sprintf('Function "%s" is not allowed.', $function)); | |
79 | } | |
80 | } | |
81 | } | |
82 | ||
83 | public function checkMethodAllowed($obj, $method) | |
84 | { | |
85 | if ($obj instanceof Twig_TemplateInterface || $obj instanceof Twig_Markup) { | |
86 | return true; | |
87 | } | |
88 | ||
89 | $allowed = false; | |
90 | $method = strtolower($method); | |
91 | foreach ($this->allowedMethods as $class => $methods) { | |
92 | if ($obj instanceof $class) { | |
93 | $allowed = in_array($method, $methods); | |
94 | ||
95 | break; | |
96 | } | |
97 | } | |
98 | ||
99 | if (!$allowed) { | |
100 | throw new Twig_Sandbox_SecurityError(sprintf('Calling "%s" method on a "%s" object is not allowed.', $method, get_class($obj))); | |
101 | } | |
102 | } | |
103 | ||
104 | public function checkPropertyAllowed($obj, $property) | |
105 | { | |
106 | $allowed = false; | |
107 | foreach ($this->allowedProperties as $class => $properties) { | |
108 | if ($obj instanceof $class) { | |
109 | $allowed = in_array($property, is_array($properties) ? $properties : array($properties)); | |
110 | ||
111 | break; | |
112 | } | |
113 | } | |
114 | ||
115 | if (!$allowed) { | |
116 | throw new Twig_Sandbox_SecurityError(sprintf('Calling "%s" property on a "%s" object is not allowed.', $property, get_class($obj))); | |
117 | } | |
118 | } | |
119 | } |