diff options
Diffstat (limited to 'inc/3rdparty/Twig/Sandbox/SecurityPolicy.php')
-rw-r--r-- | inc/3rdparty/Twig/Sandbox/SecurityPolicy.php | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/inc/3rdparty/Twig/Sandbox/SecurityPolicy.php b/inc/3rdparty/Twig/Sandbox/SecurityPolicy.php new file mode 100644 index 00000000..66ee2332 --- /dev/null +++ b/inc/3rdparty/Twig/Sandbox/SecurityPolicy.php | |||
@@ -0,0 +1,119 @@ | |||
1 | <?php | ||
2 | |||
3 | /* | ||
4 | * This file is part of Twig. | ||
5 | * | ||
6 | * (c) 2009 Fabien Potencier | ||
7 | * | ||
8 | * For the full copyright and license information, please view the LICENSE | ||
9 | * file that was distributed with this source code. | ||
10 | */ | ||
11 | |||
12 | /** | ||
13 | * Represents a security policy which need to be enforced when sandbox mode is enabled. | ||
14 | * | ||
15 | * @author Fabien Potencier <fabien@symfony.com> | ||
16 | */ | ||
17 | class Twig_Sandbox_SecurityPolicy implements Twig_Sandbox_SecurityPolicyInterface | ||
18 | { | ||
19 | protected $allowedTags; | ||
20 | protected $allowedFilters; | ||
21 | protected $allowedMethods; | ||
22 | protected $allowedProperties; | ||
23 | protected $allowedFunctions; | ||
24 | |||
25 | public function __construct(array $allowedTags = array(), array $allowedFilters = array(), array $allowedMethods = array(), array $allowedProperties = array(), array $allowedFunctions = array()) | ||
26 | { | ||
27 | $this->allowedTags = $allowedTags; | ||
28 | $this->allowedFilters = $allowedFilters; | ||
29 | $this->setAllowedMethods($allowedMethods); | ||
30 | $this->allowedProperties = $allowedProperties; | ||
31 | $this->allowedFunctions = $allowedFunctions; | ||
32 | } | ||
33 | |||
34 | public function setAllowedTags(array $tags) | ||
35 | { | ||
36 | $this->allowedTags = $tags; | ||
37 | } | ||
38 | |||
39 | public function setAllowedFilters(array $filters) | ||
40 | { | ||
41 | $this->allowedFilters = $filters; | ||
42 | } | ||
43 | |||
44 | public function setAllowedMethods(array $methods) | ||
45 | { | ||
46 | $this->allowedMethods = array(); | ||
47 | foreach ($methods as $class => $m) { | ||
48 | $this->allowedMethods[$class] = array_map('strtolower', is_array($m) ? $m : array($m)); | ||
49 | } | ||
50 | } | ||
51 | |||
52 | public function setAllowedProperties(array $properties) | ||
53 | { | ||
54 | $this->allowedProperties = $properties; | ||
55 | } | ||
56 | |||
57 | public function setAllowedFunctions(array $functions) | ||
58 | { | ||
59 | $this->allowedFunctions = $functions; | ||
60 | } | ||
61 | |||
62 | public function checkSecurity($tags, $filters, $functions) | ||
63 | { | ||
64 | foreach ($tags as $tag) { | ||
65 | if (!in_array($tag, $this->allowedTags)) { | ||
66 | throw new Twig_Sandbox_SecurityError(sprintf('Tag "%s" is not allowed.', $tag)); | ||
67 | } | ||
68 | } | ||
69 | |||
70 | foreach ($filters as $filter) { | ||
71 | if (!in_array($filter, $this->allowedFilters)) { | ||
72 | throw new Twig_Sandbox_SecurityError(sprintf('Filter "%s" is not allowed.', $filter)); | ||
73 | } | ||
74 | } | ||
75 | |||
76 | foreach ($functions as $function) { | ||
77 | if (!in_array($function, $this->allowedFunctions)) { | ||
78 | throw new Twig_Sandbox_SecurityError(sprintf('Function "%s" is not allowed.', $function)); | ||
79 | } | ||
80 | } | ||
81 | } | ||
82 | |||
83 | public function checkMethodAllowed($obj, $method) | ||
84 | { | ||
85 | if ($obj instanceof Twig_TemplateInterface || $obj instanceof Twig_Markup) { | ||
86 | return true; | ||
87 | } | ||
88 | |||
89 | $allowed = false; | ||
90 | $method = strtolower($method); | ||
91 | foreach ($this->allowedMethods as $class => $methods) { | ||
92 | if ($obj instanceof $class) { | ||
93 | $allowed = in_array($method, $methods); | ||
94 | |||
95 | break; | ||
96 | } | ||
97 | } | ||
98 | |||
99 | if (!$allowed) { | ||
100 | throw new Twig_Sandbox_SecurityError(sprintf('Calling "%s" method on a "%s" object is not allowed.', $method, get_class($obj))); | ||
101 | } | ||
102 | } | ||
103 | |||
104 | public function checkPropertyAllowed($obj, $property) | ||
105 | { | ||
106 | $allowed = false; | ||
107 | foreach ($this->allowedProperties as $class => $properties) { | ||
108 | if ($obj instanceof $class) { | ||
109 | $allowed = in_array($property, is_array($properties) ? $properties : array($properties)); | ||
110 | |||
111 | break; | ||
112 | } | ||
113 | } | ||
114 | |||
115 | if (!$allowed) { | ||
116 | throw new Twig_Sandbox_SecurityError(sprintf('Calling "%s" property on a "%s" object is not allowed.', $property, get_class($obj))); | ||
117 | } | ||
118 | } | ||
119 | } | ||