Prevent parameters from overwriting the template filename.
Fixes a potential arbitrary file execution exploit.
This commit is contained in:
parent
5106810803
commit
0507840b67
@ -150,15 +150,20 @@ class PhpEngine implements EngineInterface, \ArrayAccess
|
|||||||
protected function evaluate(Storage $template, array $parameters = array())
|
protected function evaluate(Storage $template, array $parameters = array())
|
||||||
{
|
{
|
||||||
$__template__ = $template;
|
$__template__ = $template;
|
||||||
|
|
||||||
|
if (isset($parameters['__template__'])) {
|
||||||
|
throw new \InvalidArgumentException('Invalid parameter (__template__)');
|
||||||
|
}
|
||||||
|
|
||||||
if ($__template__ instanceof FileStorage) {
|
if ($__template__ instanceof FileStorage) {
|
||||||
extract($parameters);
|
extract($parameters, EXTR_SKIP);
|
||||||
$view = $this;
|
$view = $this;
|
||||||
ob_start();
|
ob_start();
|
||||||
require $__template__;
|
require $__template__;
|
||||||
|
|
||||||
return ob_get_clean();
|
return ob_get_clean();
|
||||||
} elseif ($__template__ instanceof StringStorage) {
|
} elseif ($__template__ instanceof StringStorage) {
|
||||||
extract($parameters);
|
extract($parameters, EXTR_SKIP);
|
||||||
$view = $this;
|
$view = $this;
|
||||||
ob_start();
|
ob_start();
|
||||||
eval('; ?>'.$__template__.'<?php ;');
|
eval('; ?>'.$__template__.'<?php ;');
|
||||||
|
Reference in New Issue
Block a user