Merge branch 'develop' of github.com:phpbb/phpbb3 into ticket/11832

# By Nathan Guse (22) and others # Via Nathan Guse (10) and others * 'develop' of github.com:phpbb/phpbb3: (39 commits) [ticket/11843] Added newlines and included numbers in the DEFINE vars test [ticket/11843] Add checking DEFINE variables with underscores to template_test [ticket/11843] The twig lexer fixes DEFINE variables with underscores again [ticket/11727] Fix indentation [ticket/11727] Fix indentation [ticket/11745] Correct language, coding guidelines [ticket/11828] Fix greedy operators in lexer [ticket/11833] Prevent Twig errors from invalid template loops using BEGINELSE [ticket/11833] Fix bad template loop [ticket/11816] !$DOESNT_EXIST test [ticket/9550] Add the core.viewtopic_post_rowset_data event to viewtopic.php [ticket/11829] Use report_closed to determine status in MCP report_details [ticket/11816] Test !$DEFINITION [ticket/11822] Use namespace lookup order for asset loading [ticket/11727] Template loader support for safe directories to load files from [ticket/11816] Fix define/loop checks in IF statements containing parenthesis [ticket/11373] Use inheritdoc [ticket/11637] generate_text_for_display on search.php [ticket/11744] Cast to int [ticket/11744] Inheritdoc ...
author: Nathan Guse <nathaniel.guse@gmail.com> 2013-09-13 09:15:23 -0500
committer: Nathan Guse <nathaniel.guse@gmail.com> 2013-09-13 09:15:23 -0500
commit: a194e6ce7afe373fcb89ab26b3d057f60d10fa3d (patch)
tree: 7d39cb8a17faf1733db8b5f2ee7d822c0b9080f8 /phpBB/phpbb/template
parent: baa73f6933e70f79482e0c4c978d3bfa53eed768 (diff)
parent: 16c6e439149cee19b84ab809e913eb41bc5f4fd9 (diff)
download: forums-a194e6ce7afe373fcb89ab26b3d057f60d10fa3d.tar
forums-a194e6ce7afe373fcb89ab26b3d057f60d10fa3d.tar.gz
forums-a194e6ce7afe373fcb89ab26b3d057f60d10fa3d.tar.bz2
forums-a194e6ce7afe373fcb89ab26b3d057f60d10fa3d.tar.xz
forums-a194e6ce7afe373fcb89ab26b3d057f60d10fa3d.zip
5 files changed, 212 insertions, 19 deletions
diff --git a/phpBB/phpbb/template/twig/environment.php b/phpBB/phpbb/template/twig/environment.php
index b60cd72325..9a40dc2b15 100644
--- a/phpBB/phpbb/template/twig/environment.php
+++ b/phpBB/phpbb/template/twig/environment.php
@@ -137,4 +137,39 @@ class phpbb_template_twig_environment extends Twig_Environment
 			return parent::loadTemplate($name, $index);
 		}
 	}
+
+	/**
+	 * Finds a template by name.
+	 *
+	 * @param string  $name  The template name
+	 * @return string
+	 */
+	public function findTemplate($name)
+	{
+		if (strpos($name, '@') === false)
+		{
+			foreach ($this->getNamespaceLookUpOrder() as $namespace)
+			{
+				try
+				{
+					if ($namespace === '__main__')
+					{
+						return parent::getLoader()->getCacheKey($name);
+					}
+
+					return parent::getLoader()->getCacheKey('@' . $namespace . '/' . $name);
+				}
+				catch (Twig_Error_Loader $e)
+				{
+				}
+			}
+
+			// We were unable to load any templates
+			throw $e;
+		}
+		else
+		{
+			return parent::getLoader()->getCacheKey($name);
+		}
+	}
 }
diff --git a/phpBB/phpbb/template/twig/lexer.php b/phpBB/phpbb/template/twig/lexer.php
index 7ab569313c..16a693cd7c 100644
--- a/phpBB/phpbb/template/twig/lexer.php
+++ b/phpBB/phpbb/template/twig/lexer.php
@@ -75,7 +75,7 @@ class phpbb_template_twig_lexer extends Twig_Lexer
 
 		// Fix tokens that may have inline variables (e.g. <!-- DEFINE $TEST = '{FOO}')
 		$code = $this->fix_inline_variable_tokens(array(
-			'DEFINE.+=',
+			'DEFINE \$[a-zA-Z0-9_]+ =',
 			'INCLUDE',
 			'INCLUDEPHP',
 			'INCLUDEJS',
@@ -161,6 +161,9 @@ class phpbb_template_twig_lexer extends Twig_Lexer
 			$subset = trim(substr($matches[2], 1, -1)); // Remove parenthesis
 			$body = $matches[3];
 
+			// Replace <!-- BEGINELSE -->
+			$body = str_replace('<!-- BEGINELSE -->', '{% else %}', $body);
+
 			// Is the designer wanting to call another loop in a loop?
 			// <!-- BEGIN loop -->
 			// <!-- BEGIN !loop2 -->
@@ -205,9 +208,6 @@ class phpbb_template_twig_lexer extends Twig_Lexer
 			return "{% for {$name} in {$parent}{$name}{$subset} %}{$body}{% endfor %}";
 		};
 
-		// Replace <!-- BEGINELSE --> correctly, only needs to be done once
-		$code = str_replace('<!-- BEGINELSE -->', '{% else %}', $code);
-
 		return preg_replace_callback('#<!-- BEGIN ([!a-zA-Z0-9_]+)(\([0-9,\-]+\))? -->(.+?)<!-- END \1 -->#s', $callback, $code);
 	}
 
@@ -229,18 +229,18 @@ class phpbb_template_twig_lexer extends Twig_Lexer
 		{
 			$inner = $matches[2];
 			// Replace $TEST with definition.TEST
-			$inner = preg_replace('#\s\$([a-zA-Z_0-9]+)#', ' definition.$1', $inner);
+			$inner = preg_replace('#(\s\(?!?)\$([a-zA-Z_0-9]+)#', '$1definition.$2', $inner);
 
 			// Replace .foo with loops.foo|length
-			$inner = preg_replace('#\s\.([a-zA-Z_0-9]+)([^a-zA-Z_0-9\.])#', ' loops.$1|length$2', $inner);
+			$inner = preg_replace('#(\s\(?!?)\.([a-zA-Z_0-9]+)([^a-zA-Z_0-9\.])#', '$1loops.$2|length$3', $inner);
 
 			// Replace .foo.bar with foo.bar|length
-			$inner = preg_replace('#\s\.([a-zA-Z_0-9\.]+)([^a-zA-Z_0-9\.])#', ' $1|length$2', $inner);
+			$inner = preg_replace('#(\s\(?!?)\.([a-zA-Z_0-9\.]+)([^a-zA-Z_0-9\.])#', '$1$2|length$3', $inner);
 
 			return "<!-- {$matches[1]}IF{$inner}-->";
 		};
 
-		return preg_replace_callback('#<!-- (ELSE)?IF((.*)[\s][\$|\.|!]([^\s]+)(.*))-->#', $callback, $code);
+		return preg_replace_callback('#<!-- (ELSE)?IF((.*?) \(?!?[\$|\.]([^\s]+)(.*?))-->#', $callback, $code);
 	}
 
 	/**
@@ -264,10 +264,10 @@ class phpbb_template_twig_lexer extends Twig_Lexer
 		*/
 
 		// Replace <!-- DEFINE $NAME with {% DEFINE definition.NAME
-		$code = preg_replace('#<!-- DEFINE \$(.*)-->#', '{% DEFINE $1 %}', $code);
+		$code = preg_replace('#<!-- DEFINE \$(.*?) -->#', '{% DEFINE $1 %}', $code);
 
 		// Changing UNDEFINE NAME to DEFINE NAME = null to save from creating an extra token parser/node
-		$code = preg_replace('#<!-- UNDEFINE \$(.*)-->#', '{% DEFINE $1= null %}', $code);
+		$code = preg_replace('#<!-- UNDEFINE \$(.*?)-->#', '{% DEFINE $1= null %}', $code);
 
 		// Replace all of our variables, {$VARNAME}, with Twig style, {{ definition.VARNAME }}
 		$code = preg_replace('#{\$([a-zA-Z0-9_\.]+)}#', '{{ definition.$1 }}', $code);
diff --git a/phpBB/phpbb/template/twig/loader.php b/phpBB/phpbb/template/twig/loader.php
new file mode 100644
index 0000000000..0829e519f7
--- /dev/null
+++ b/phpBB/phpbb/template/twig/loader.php
@@ -0,0 +1,150 @@
+<?php
+/**
+*
+* @package phpBB3
+* @copyright (c) 2013 phpBB Group
+* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
+*
+*/
+
+/**
+* @ignore
+*/
+if (!defined('IN_PHPBB'))
+{
+	exit;
+}
+
+/**
+* Twig Template loader
+* @package phpBB3
+*/
+class phpbb_template_twig_loader extends Twig_Loader_Filesystem
+{
+	protected $safe_directories = array();
+
+	/**
+	* Set safe directories
+	*
+	* @param array $directories Array of directories that are safe (empty to clear)
+	* @return Twig_Loader_Filesystem
+	*/
+	public function setSafeDirectories($directories = array())
+	{
+		$this->safe_directories = array();
+
+		if (!empty($directories))
+		{
+			foreach ($directories as $directory)
+			{
+				$this->addSafeDirectory($directory);
+			}
+		}
+
+		return $this;
+	}
+
+	/**
+	* Add safe directory
+	*
+	* @param string $directory Directory that should be added
+	* @return Twig_Loader_Filesystem
+	*/
+	public function addSafeDirectory($directory)
+	{
+		$directory = phpbb_realpath($directory);
+
+		if ($directory !== false)
+		{
+			$this->safe_directories[] = $directory;
+		}
+
+		return $this;
+	}
+
+	/**
+	* Get current safe directories
+	*
+	* @return array
+	*/
+	public function getSafeDirectories()
+	{
+		return $this->safe_directories;
+	}
+
+	/**
+	* Override for parent::validateName()
+	*
+	* This is done because we added support for safe directories, and when Twig
+	*	findTemplate() is called, validateName() is called first, which would
+	*	always throw an exception if the file is outside of the configured
+	*	template directories.
+	*/
+	protected function validateName($name)
+	{
+		return;
+	}
+
+	/**
+	* Find the template
+	*
+	* Override for Twig_Loader_Filesystem::findTemplate to add support
+	*	for loading from safe directories.
+	*/
+	protected function findTemplate($name)
+	{
+		$name = (string) $name;
+
+		// normalize name
+		$name = preg_replace('#/{2,}#', '/', strtr($name, '\\', '/'));
+
+		// If this is in the cache we can skip the entire process below
+		//	as it should have already been validated
+		if (isset($this->cache[$name])) {
+			return $this->cache[$name];
+		}
+
+		// First, find the template name. The override above of validateName
+		//	causes the validateName process to be skipped for this call
+		$file = parent::findTemplate($name);
+
+		try
+		{
+			// Try validating the name (which may throw an exception)
+			parent::validateName($name);
+		}
+		catch (Twig_Error_Loader $e)
+		{
+			if (strpos($e->getRawMessage(), 'Looks like you try to load a template outside configured directories') === 0)
+			{
+				// Ok, so outside of the configured template directories, we
+				//	can now check if we're within a "safe" directory
+
+				// Find the real path of the directory the file is in
+				$directory = phpbb_realpath(dirname($file));
+
+				if ($directory === false)
+				{
+					// Some sort of error finding the actual path, must throw the exception
+					throw $e;
+				}
+
+				foreach ($this->safe_directories as $safe_directory)
+				{
+					if (strpos($directory, $safe_directory) === 0)
+					{
+						// The directory being loaded is below a directory
+						// that is "safe". We're good to load it!
+						return $file;
+					}
+				}
+			}
+
+			// Not within any safe directories
+			throw $e;
+		}
+
+		// No exception from validateName, safe to load.
+		return $file;
+	}
+}
diff --git a/phpBB/phpbb/template/twig/node/includeasset.php b/phpBB/phpbb/template/twig/node/includeasset.php
index 1cab416c79..0808e2b10e 100644
--- a/phpBB/phpbb/template/twig/node/includeasset.php
+++ b/phpBB/phpbb/template/twig/node/includeasset.php
@@ -40,10 +40,10 @@ abstract class phpbb_template_twig_node_includeasset extends Twig_Node
 				->write("\$local_file = \$this->getEnvironment()->get_phpbb_root_path() . \$asset_path;\n")
 				->write("if (!file_exists(\$local_file)) {\n")
 				->indent()
-					->write("\$local_file = \$this->getEnvironment()->getLoader()->getCacheKey(\$asset_path);\n")
+					->write("\$local_file = \$this->getEnvironment()->findTemplate(\$asset_path);\n")
 					->write("\$asset->set_path(\$local_file, true);\n")
 				->outdent()
-				->write("\$asset->add_assets_version({$config['assets_version']});\n")
+				->write("\$asset->add_assets_version('{$config['assets_version']}');\n")
 				->write("\$asset_file = \$asset->get_url();\n")
 				->write("}\n")
 			->outdent()
diff --git a/phpBB/phpbb/template/twig/twig.php b/phpBB/phpbb/template/twig/twig.php
index 1ed89d3ccc..5746cc64a3 100644
--- a/phpBB/phpbb/template/twig/twig.php
+++ b/phpBB/phpbb/template/twig/twig.php
@@ -91,7 +91,7 @@ class phpbb_template_twig extends phpbb_template_base
 		$this->cachepath = $phpbb_root_path . 'cache/twig/';
 
 		// Initiate the loader, __main__ namespace paths will be setup later in set_style_names()
-		$loader = new Twig_Loader_Filesystem('');
+		$loader = new phpbb_template_twig_loader('');
 
 		$this->twig = new phpbb_template_twig_environment(
 			$this->config,
@@ -181,11 +181,15 @@ class phpbb_template_twig extends phpbb_template_base
 		{
 			foreach ($names as $name)
 			{
-				$path = $this->phpbb_root_path . trim($directory, '/') . "/{$name}/template/";
+				$path = $this->phpbb_root_path . trim($directory, '/') . "/{$name}/";
+				$template_path = $path . 'template/';
 
-				if (is_dir($path))
+				if (is_dir($template_path))
 				{
-					$paths[] = $path;
+					// Add the base style directory as a safe directory
+					$this->twig->getLoader()->addSafeDirectory($path);
+
+					$paths[] = $template_path;
 				}
 			}
 		}
@@ -233,11 +237,15 @@ class phpbb_template_twig extends phpbb_template_base
 
 				foreach ($names as $style_name)
 				{
-					$ext_style_path = $ext_path . 'styles/' . $style_name . '/template';
+					$ext_style_path = $ext_path . 'styles/' . $style_name . '/';
+					$ext_style_template_path = $ext_style_path . 'template/';
 
-					if (is_dir($ext_style_path))
+					if (is_dir($ext_style_template_path))
 					{
-						$paths[] = $ext_style_path;
+						// Add the base style directory as a safe directory
+						$this->twig->getLoader()->addSafeDirectory($ext_style_path);
+
+						$paths[] = $ext_style_template_path;
 					}
 				}
author	Nathan Guse <nathaniel.guse@gmail.com>	2013-09-13 09:15:23 -0500
committer	Nathan Guse <nathaniel.guse@gmail.com>	2013-09-13 09:15:23 -0500
commit	a194e6ce7afe373fcb89ab26b3d057f60d10fa3d (patch)
tree	7d39cb8a17faf1733db8b5f2ee7d822c0b9080f8 /phpBB/phpbb/template
parent	baa73f6933e70f79482e0c4c978d3bfa53eed768 (diff)
parent	16c6e439149cee19b84ab809e913eb41bc5f4fd9 (diff)
download	forums-a194e6ce7afe373fcb89ab26b3d057f60d10fa3d.tar forums-a194e6ce7afe373fcb89ab26b3d057f60d10fa3d.tar.gz forums-a194e6ce7afe373fcb89ab26b3d057f60d10fa3d.tar.bz2 forums-a194e6ce7afe373fcb89ab26b3d057f60d10fa3d.tar.xz forums-a194e6ce7afe373fcb89ab26b3d057f60d10fa3d.zip