[ Index ]

PHP Cross Reference of phpBB-3.3.5-deutsch

title

Body

[close]

/vendor/twig/twig/src/Sandbox/ -> SecurityPolicy.php (source)

   1  <?php
   2  
   3  /*
   4   * This file is part of Twig.
   5   *
   6   * (c) Fabien Potencier
   7   *
   8   * For the full copyright and license information, please view the LICENSE
   9   * file that was distributed with this source code.
  10   */
  11  
  12  namespace Twig\Sandbox;
  13  
  14  use Twig\Markup;
  15  use Twig\Template;
  16  
  17  /**
  18   * Represents a security policy which need to be enforced when sandbox mode is enabled.
  19   *
  20   * @author Fabien Potencier <fabien@symfony.com>
  21   */
  22  final class SecurityPolicy implements SecurityPolicyInterface
  23  {
  24      private $allowedTags;
  25      private $allowedFilters;
  26      private $allowedMethods;
  27      private $allowedProperties;
  28      private $allowedFunctions;
  29  
  30      public function __construct(array $allowedTags = [], array $allowedFilters = [], array $allowedMethods = [], array $allowedProperties = [], array $allowedFunctions = [])
  31      {
  32          $this->allowedTags = $allowedTags;
  33          $this->allowedFilters = $allowedFilters;
  34          $this->setAllowedMethods($allowedMethods);
  35          $this->allowedProperties = $allowedProperties;
  36          $this->allowedFunctions = $allowedFunctions;
  37      }
  38  
  39      public function setAllowedTags(array $tags)
  40      {
  41          $this->allowedTags = $tags;
  42      }
  43  
  44      public function setAllowedFilters(array $filters)
  45      {
  46          $this->allowedFilters = $filters;
  47      }
  48  
  49      public function setAllowedMethods(array $methods)
  50      {
  51          $this->allowedMethods = [];
  52          foreach ($methods as $class => $m) {
  53              $this->allowedMethods[$class] = array_map(function ($value) { return strtr($value, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'); }, \is_array($m) ? $m : [$m]);
  54          }
  55      }
  56  
  57      public function setAllowedProperties(array $properties)
  58      {
  59          $this->allowedProperties = $properties;
  60      }
  61  
  62      public function setAllowedFunctions(array $functions)
  63      {
  64          $this->allowedFunctions = $functions;
  65      }
  66  
  67      public function checkSecurity($tags, $filters, $functions)
  68      {
  69          foreach ($tags as $tag) {
  70              if (!\in_array($tag, $this->allowedTags)) {
  71                  throw new SecurityNotAllowedTagError(sprintf('Tag "%s" is not allowed.', $tag), $tag);
  72              }
  73          }
  74  
  75          foreach ($filters as $filter) {
  76              if (!\in_array($filter, $this->allowedFilters)) {
  77                  throw new SecurityNotAllowedFilterError(sprintf('Filter "%s" is not allowed.', $filter), $filter);
  78              }
  79          }
  80  
  81          foreach ($functions as $function) {
  82              if (!\in_array($function, $this->allowedFunctions)) {
  83                  throw new SecurityNotAllowedFunctionError(sprintf('Function "%s" is not allowed.', $function), $function);
  84              }
  85          }
  86      }
  87  
  88      public function checkMethodAllowed($obj, $method)
  89      {
  90          if ($obj instanceof Template || $obj instanceof Markup) {
  91              return;
  92          }
  93  
  94          $allowed = false;
  95          $method = strtr($method, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz');
  96          foreach ($this->allowedMethods as $class => $methods) {
  97              if ($obj instanceof $class) {
  98                  $allowed = \in_array($method, $methods);
  99  
 100                  break;
 101              }
 102          }
 103  
 104          if (!$allowed) {
 105              $class = \get_class($obj);
 106              throw new SecurityNotAllowedMethodError(sprintf('Calling "%s" method on a "%s" object is not allowed.', $method, $class), $class, $method);
 107          }
 108      }
 109  
 110      public function checkPropertyAllowed($obj, $property)
 111      {
 112          $allowed = false;
 113          foreach ($this->allowedProperties as $class => $properties) {
 114              if ($obj instanceof $class) {
 115                  $allowed = \in_array($property, \is_array($properties) ? $properties : [$properties]);
 116  
 117                  break;
 118              }
 119          }
 120  
 121          if (!$allowed) {
 122              $class = \get_class($obj);
 123              throw new SecurityNotAllowedPropertyError(sprintf('Calling "%s" property on a "%s" object is not allowed.', $property, $class), $class, $property);
 124          }
 125      }
 126  }
 127  
 128  class_alias('Twig\Sandbox\SecurityPolicy', 'Twig_Sandbox_SecurityPolicy');


Generated: Mon Oct 4 17:42:11 2021 Cross-referenced by PHPXref 0.7.1