|
1 <?php |
|
2 |
|
3 /* |
|
4 * This file is part of Twig. |
|
5 * |
|
6 * (c) 2009 Fabien Potencier |
|
7 * |
|
8 * For the full copyright and license information, please view the LICENSE |
|
9 * file that was distributed with this source code. |
|
10 */ |
|
11 |
|
12 /** |
|
13 * Represents a security policy which need to be enforced when sandbox mode is enabled. |
|
14 * |
|
15 * @package twig |
|
16 * @author Fabien Potencier <fabien@symfony.com> |
|
17 */ |
|
18 class Twig_Sandbox_SecurityPolicy implements Twig_Sandbox_SecurityPolicyInterface |
|
19 { |
|
20 protected $allowedTags; |
|
21 protected $allowedFilters; |
|
22 protected $allowedMethods; |
|
23 protected $allowedProperties; |
|
24 protected $allowedFunctions; |
|
25 |
|
26 public function __construct(array $allowedTags = array(), array $allowedFilters = array(), array $allowedMethods = array(), array $allowedProperties = array(), array $allowedFunctions = array()) |
|
27 { |
|
28 $this->allowedTags = $allowedTags; |
|
29 $this->allowedFilters = $allowedFilters; |
|
30 $this->setAllowedMethods($allowedMethods); |
|
31 $this->allowedProperties = $allowedProperties; |
|
32 $this->allowedFunctions = $allowedFunctions; |
|
33 } |
|
34 |
|
35 public function setAllowedTags(array $tags) |
|
36 { |
|
37 $this->allowedTags = $tags; |
|
38 } |
|
39 |
|
40 public function setAllowedFilters(array $filters) |
|
41 { |
|
42 $this->allowedFilters = $filters; |
|
43 } |
|
44 |
|
45 public function setAllowedMethods(array $methods) |
|
46 { |
|
47 $this->allowedMethods = array(); |
|
48 foreach ($methods as $class => $m) { |
|
49 $this->allowedMethods[$class] = array_map('strtolower', is_array($m) ? $m : array($m)); |
|
50 } |
|
51 } |
|
52 |
|
53 public function setAllowedProperties(array $properties) |
|
54 { |
|
55 $this->allowedProperties = $properties; |
|
56 } |
|
57 |
|
58 public function setAllowedFunctions(array $functions) |
|
59 { |
|
60 $this->allowedFunctions = $functions; |
|
61 } |
|
62 |
|
63 public function checkSecurity($tags, $filters, $functions) |
|
64 { |
|
65 foreach ($tags as $tag) { |
|
66 if (!in_array($tag, $this->allowedTags)) { |
|
67 throw new Twig_Sandbox_SecurityError(sprintf('Tag "%s" is not allowed.', $tag)); |
|
68 } |
|
69 } |
|
70 |
|
71 foreach ($filters as $filter) { |
|
72 if (!in_array($filter, $this->allowedFilters)) { |
|
73 throw new Twig_Sandbox_SecurityError(sprintf('Filter "%s" is not allowed.', $filter)); |
|
74 } |
|
75 } |
|
76 |
|
77 foreach ($functions as $function) { |
|
78 if (!in_array($function, $this->allowedFunctions)) { |
|
79 throw new Twig_Sandbox_SecurityError(sprintf('Function "%s" is not allowed.', $function)); |
|
80 } |
|
81 } |
|
82 } |
|
83 |
|
84 public function checkMethodAllowed($obj, $method) |
|
85 { |
|
86 if ($obj instanceof Twig_TemplateInterface || $obj instanceof Twig_Markup) { |
|
87 return true; |
|
88 } |
|
89 |
|
90 $allowed = false; |
|
91 $method = strtolower($method); |
|
92 foreach ($this->allowedMethods as $class => $methods) { |
|
93 if ($obj instanceof $class) { |
|
94 $allowed = in_array($method, $methods); |
|
95 |
|
96 break; |
|
97 } |
|
98 } |
|
99 |
|
100 if (!$allowed) { |
|
101 throw new Twig_Sandbox_SecurityError(sprintf('Calling "%s" method on a "%s" object is not allowed.', $method, get_class($obj))); |
|
102 } |
|
103 } |
|
104 |
|
105 public function checkPropertyAllowed($obj, $property) |
|
106 { |
|
107 $allowed = false; |
|
108 foreach ($this->allowedProperties as $class => $properties) { |
|
109 if ($obj instanceof $class) { |
|
110 $allowed = in_array($property, is_array($properties) ? $properties : array($properties)); |
|
111 |
|
112 break; |
|
113 } |
|
114 } |
|
115 |
|
116 if (!$allowed) { |
|
117 throw new Twig_Sandbox_SecurityError(sprintf('Calling "%s" property on a "%s" object is not allowed.', $property, get_class($obj))); |
|
118 } |
|
119 } |
|
120 } |