SecurityPolicy.php 3.6KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121
  1. <?php
  2. /*
  3. * This file is part of Twig.
  4. *
  5. * (c) 2009 Fabien Potencier
  6. *
  7. * For the full copyright and license information, please view the LICENSE
  8. * file that was distributed with this source code.
  9. */
  10. /**
  11. * Represents a security policy which need to be enforced when sandbox mode is enabled.
  12. *
  13. * @package twig
  14. * @author Fabien Potencier <fabien@symfony.com>
  15. */
  16. class Twig_Sandbox_SecurityPolicy implements Twig_Sandbox_SecurityPolicyInterface
  17. {
  18. protected $allowedTags;
  19. protected $allowedFilters;
  20. protected $allowedMethods;
  21. protected $allowedProperties;
  22. protected $allowedFunctions;
  23. public function __construct(array $allowedTags = array(), array $allowedFilters = array(), array $allowedMethods = array(), array $allowedProperties = array(), array $allowedFunctions = array())
  24. {
  25. $this->allowedTags = $allowedTags;
  26. $this->allowedFilters = $allowedFilters;
  27. $this->setAllowedMethods($allowedMethods);
  28. $this->allowedProperties = $allowedProperties;
  29. $this->allowedFunctions = $allowedFunctions;
  30. }
  31. public function setAllowedTags(array $tags)
  32. {
  33. $this->allowedTags = $tags;
  34. }
  35. public function setAllowedFilters(array $filters)
  36. {
  37. $this->allowedFilters = $filters;
  38. }
  39. public function setAllowedMethods(array $methods)
  40. {
  41. $this->allowedMethods = array();
  42. foreach ($methods as $class => $m) {
  43. $this->allowedMethods[$class] = array_map('strtolower', is_array($m) ? $m : array($m));
  44. }
  45. }
  46. public function setAllowedProperties(array $properties)
  47. {
  48. $this->allowedProperties = $properties;
  49. }
  50. public function setAllowedFunctions(array $functions)
  51. {
  52. $this->allowedFunctions = $functions;
  53. }
  54. public function checkSecurity($tags, $filters, $functions)
  55. {
  56. foreach ($tags as $tag) {
  57. if (!in_array($tag, $this->allowedTags)) {
  58. throw new Twig_Sandbox_SecurityError(sprintf('Tag "%s" is not allowed.', $tag));
  59. }
  60. }
  61. foreach ($filters as $filter) {
  62. if (!in_array($filter, $this->allowedFilters)) {
  63. throw new Twig_Sandbox_SecurityError(sprintf('Filter "%s" is not allowed.', $filter));
  64. }
  65. }
  66. foreach ($functions as $function) {
  67. if (!in_array($function, $this->allowedFunctions)) {
  68. throw new Twig_Sandbox_SecurityError(sprintf('Function "%s" is not allowed.', $function));
  69. }
  70. }
  71. }
  72. public function checkMethodAllowed($obj, $method)
  73. {
  74. if ($obj instanceof Twig_TemplateInterface || $obj instanceof Twig_Markup) {
  75. return true;
  76. }
  77. $allowed = false;
  78. $method = strtolower($method);
  79. foreach ($this->allowedMethods as $class => $methods) {
  80. if ($obj instanceof $class) {
  81. $allowed = in_array($method, $methods);
  82. break;
  83. }
  84. }
  85. if (!$allowed) {
  86. throw new Twig_Sandbox_SecurityError(sprintf('Calling "%s" method on a "%s" object is not allowed.', $method, get_class($obj)));
  87. }
  88. }
  89. public function checkPropertyAllowed($obj, $property)
  90. {
  91. $allowed = false;
  92. foreach ($this->allowedProperties as $class => $properties) {
  93. if ($obj instanceof $class) {
  94. $allowed = in_array($property, is_array($properties) ? $properties : array($properties));
  95. break;
  96. }
  97. }
  98. if (!$allowed) {
  99. throw new Twig_Sandbox_SecurityError(sprintf('Calling "%s" property on a "%s" object is not allowed.', $property, get_class($obj)));
  100. }
  101. }
  102. }