diff options
| author | Nathan Guse <nathaniel.guse@gmail.com> | 2013-09-13 09:15:23 -0500 |
|---|---|---|
| committer | Nathan Guse <nathaniel.guse@gmail.com> | 2013-09-13 09:15:23 -0500 |
| commit | a194e6ce7afe373fcb89ab26b3d057f60d10fa3d (patch) | |
| tree | 7d39cb8a17faf1733db8b5f2ee7d822c0b9080f8 /phpBB/phpbb/template/twig/loader.php | |
| parent | baa73f6933e70f79482e0c4c978d3bfa53eed768 (diff) | |
| parent | 16c6e439149cee19b84ab809e913eb41bc5f4fd9 (diff) | |
| download | forums-a194e6ce7afe373fcb89ab26b3d057f60d10fa3d.tar forums-a194e6ce7afe373fcb89ab26b3d057f60d10fa3d.tar.gz forums-a194e6ce7afe373fcb89ab26b3d057f60d10fa3d.tar.bz2 forums-a194e6ce7afe373fcb89ab26b3d057f60d10fa3d.tar.xz forums-a194e6ce7afe373fcb89ab26b3d057f60d10fa3d.zip | |
Merge branch 'develop' of github.com:phpbb/phpbb3 into ticket/11832
# By Nathan Guse (22) and others
# Via Nathan Guse (10) and others
* 'develop' of github.com:phpbb/phpbb3: (39 commits)
[ticket/11843] Added newlines and included numbers in the DEFINE vars test
[ticket/11843] Add checking DEFINE variables with underscores to template_test
[ticket/11843] The twig lexer fixes DEFINE variables with underscores again
[ticket/11727] Fix indentation
[ticket/11727] Fix indentation
[ticket/11745] Correct language, coding guidelines
[ticket/11828] Fix greedy operators in lexer
[ticket/11833] Prevent Twig errors from invalid template loops using BEGINELSE
[ticket/11833] Fix bad template loop
[ticket/11816] !$DOESNT_EXIST test
[ticket/9550] Add the core.viewtopic_post_rowset_data event to viewtopic.php
[ticket/11829] Use report_closed to determine status in MCP report_details
[ticket/11816] Test !$DEFINITION
[ticket/11822] Use namespace lookup order for asset loading
[ticket/11727] Template loader support for safe directories to load files from
[ticket/11816] Fix define/loop checks in IF statements containing parenthesis
[ticket/11373] Use inheritdoc
[ticket/11637] generate_text_for_display on search.php
[ticket/11744] Cast to int
[ticket/11744] Inheritdoc
...
Diffstat (limited to 'phpBB/phpbb/template/twig/loader.php')
| -rw-r--r-- | phpBB/phpbb/template/twig/loader.php | 150 |
1 files changed, 150 insertions, 0 deletions
diff --git a/phpBB/phpbb/template/twig/loader.php b/phpBB/phpbb/template/twig/loader.php new file mode 100644 index 0000000000..0829e519f7 --- /dev/null +++ b/phpBB/phpbb/template/twig/loader.php @@ -0,0 +1,150 @@ +<?php +/** +* +* @package phpBB3 +* @copyright (c) 2013 phpBB Group +* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 +* +*/ + +/** +* @ignore +*/ +if (!defined('IN_PHPBB')) +{ + exit; +} + +/** +* Twig Template loader +* @package phpBB3 +*/ +class phpbb_template_twig_loader extends Twig_Loader_Filesystem +{ + protected $safe_directories = array(); + + /** + * Set safe directories + * + * @param array $directories Array of directories that are safe (empty to clear) + * @return Twig_Loader_Filesystem + */ + public function setSafeDirectories($directories = array()) + { + $this->safe_directories = array(); + + if (!empty($directories)) + { + foreach ($directories as $directory) + { + $this->addSafeDirectory($directory); + } + } + + return $this; + } + + /** + * Add safe directory + * + * @param string $directory Directory that should be added + * @return Twig_Loader_Filesystem + */ + public function addSafeDirectory($directory) + { + $directory = phpbb_realpath($directory); + + if ($directory !== false) + { + $this->safe_directories[] = $directory; + } + + return $this; + } + + /** + * Get current safe directories + * + * @return array + */ + public function getSafeDirectories() + { + return $this->safe_directories; + } + + /** + * Override for parent::validateName() + * + * This is done because we added support for safe directories, and when Twig + * findTemplate() is called, validateName() is called first, which would + * always throw an exception if the file is outside of the configured + * template directories. + */ + protected function validateName($name) + { + return; + } + + /** + * Find the template + * + * Override for Twig_Loader_Filesystem::findTemplate to add support + * for loading from safe directories. + */ + protected function findTemplate($name) + { + $name = (string) $name; + + // normalize name + $name = preg_replace('#/{2,}#', '/', strtr($name, '\\', '/')); + + // If this is in the cache we can skip the entire process below + // as it should have already been validated + if (isset($this->cache[$name])) { + return $this->cache[$name]; + } + + // First, find the template name. The override above of validateName + // causes the validateName process to be skipped for this call + $file = parent::findTemplate($name); + + try + { + // Try validating the name (which may throw an exception) + parent::validateName($name); + } + catch (Twig_Error_Loader $e) + { + if (strpos($e->getRawMessage(), 'Looks like you try to load a template outside configured directories') === 0) + { + // Ok, so outside of the configured template directories, we + // can now check if we're within a "safe" directory + + // Find the real path of the directory the file is in + $directory = phpbb_realpath(dirname($file)); + + if ($directory === false) + { + // Some sort of error finding the actual path, must throw the exception + throw $e; + } + + foreach ($this->safe_directories as $safe_directory) + { + if (strpos($directory, $safe_directory) === 0) + { + // The directory being loaded is below a directory + // that is "safe". We're good to load it! + return $file; + } + } + } + + // Not within any safe directories + throw $e; + } + + // No exception from validateName, safe to load. + return $file; + } +} |