SecurityPolicy.php (3900B)
1 <?php 2 3 /* 4 * This file is part of Twig. 5 * 6 * (c) 2009 Fabien Potencier 7 * 8 * For the full copyright and license information, please view the LICENSE 9 * file that was distributed with this source code. 10 */ 11 12 /** 13 * Represents a security policy which need to be enforced when sandbox mode is enabled. 14 * 15 * @author Fabien Potencier <fabien@symfony.com> 16 */ 17 class Twig_Sandbox_SecurityPolicy implements Twig_Sandbox_SecurityPolicyInterface 18 { 19 protected $allowedTags; 20 protected $allowedFilters; 21 protected $allowedMethods; 22 protected $allowedProperties; 23 protected $allowedFunctions; 24 25 public function __construct(array $allowedTags = array(), array $allowedFilters = array(), array $allowedMethods = array(), array $allowedProperties = array(), array $allowedFunctions = array()) 26 { 27 $this->allowedTags = $allowedTags; 28 $this->allowedFilters = $allowedFilters; 29 $this->setAllowedMethods($allowedMethods); 30 $this->allowedProperties = $allowedProperties; 31 $this->allowedFunctions = $allowedFunctions; 32 } 33 34 public function setAllowedTags(array $tags) 35 { 36 $this->allowedTags = $tags; 37 } 38 39 public function setAllowedFilters(array $filters) 40 { 41 $this->allowedFilters = $filters; 42 } 43 44 public function setAllowedMethods(array $methods) 45 { 46 $this->allowedMethods = array(); 47 foreach ($methods as $class => $m) { 48 $this->allowedMethods[$class] = array_map('strtolower', is_array($m) ? $m : array($m)); 49 } 50 } 51 52 public function setAllowedProperties(array $properties) 53 { 54 $this->allowedProperties = $properties; 55 } 56 57 public function setAllowedFunctions(array $functions) 58 { 59 $this->allowedFunctions = $functions; 60 } 61 62 public function checkSecurity($tags, $filters, $functions) 63 { 64 foreach ($tags as $tag) { 65 if (!in_array($tag, $this->allowedTags)) { 66 throw new Twig_Sandbox_SecurityNotAllowedTagError(sprintf('Tag "%s" is not allowed.', $tag), $tag); 67 } 68 } 69 70 foreach ($filters as $filter) { 71 if (!in_array($filter, $this->allowedFilters)) { 72 throw new Twig_Sandbox_SecurityNotAllowedFilterError(sprintf('Filter "%s" is not allowed.', $filter), $filter); 73 } 74 } 75 76 foreach ($functions as $function) { 77 if (!in_array($function, $this->allowedFunctions)) { 78 throw new Twig_Sandbox_SecurityNotAllowedFunctionError(sprintf('Function "%s" is not allowed.', $function), $function); 79 } 80 } 81 } 82 83 public function checkMethodAllowed($obj, $method) 84 { 85 if ($obj instanceof Twig_TemplateInterface || $obj instanceof Twig_Markup) { 86 return true; 87 } 88 89 $allowed = false; 90 $method = strtolower($method); 91 foreach ($this->allowedMethods as $class => $methods) { 92 if ($obj instanceof $class) { 93 $allowed = in_array($method, $methods); 94 95 break; 96 } 97 } 98 99 if (!$allowed) { 100 throw new Twig_Sandbox_SecurityError(sprintf('Calling "%s" method on a "%s" object is not allowed.', $method, get_class($obj))); 101 } 102 } 103 104 public function checkPropertyAllowed($obj, $property) 105 { 106 $allowed = false; 107 foreach ($this->allowedProperties as $class => $properties) { 108 if ($obj instanceof $class) { 109 $allowed = in_array($property, is_array($properties) ? $properties : array($properties)); 110 111 break; 112 } 113 } 114 115 if (!$allowed) { 116 throw new Twig_Sandbox_SecurityError(sprintf('Calling "%s" property on a "%s" object is not allowed.', $property, get_class($obj))); 117 } 118 } 119 }