[Yaml] Yaml::parse() does not evaluate loaded files as PHP files by default anymore

This has been done to avoid security issues. To get back the old behavior, call Yaml::enablePhpParsing() first.
2011-11-07 16:43:15 +01:00 · 2011-11-07 16:43:15 +01:00 · 6d324a6ba0
commit 6d324a6ba0
parent 046cdce578
2 changed files with 25 additions and 12 deletions
--- a/CHANGELOG-2.1.md
+++ b/CHANGELOG-2.1.md
@ -118,3 +118,7 @@ To get the diff between two versions, go to https://github.com/symfony/symfony/c
 * added a SizeLength validator
 * improved the ImageValidator with min width, max width, min height, and max height constraints
 * added support for MIME with wildcard in FileValidator
+
+### Yaml
+
+ * Yaml::parse() does not evaluate loaded files as PHP files by default anymore (call Yaml::enablePhpParsing() to get back the old behavior)
--- a/src/Symfony/Component/Yaml/Yaml.php
+++ b/src/Symfony/Component/Yaml/Yaml.php
@ -22,6 +22,13 @@ use Symfony\Component\Yaml\Exception\ParseException;
 */
 class Yaml
 {
+    static public $enablePhpParsing = false;
+
+    static public function enablePhpParsing()
+    {
+        self::$enablePhpParsing = true;
+    }
+
    /**
     * Parses YAML into a PHP array.
     *
@ -44,23 +51,25 @@ class Yaml
     */
    static public function parse($input)
    {
-        $file = '';
-
        // if input is a file, process it
+        $file = '';
        if (strpos($input, "\n") === false && is_file($input) && is_readable($input)) {
            $file = $input;
+            if (self::$enablePhpParsing) {
+                ob_start();
+                $retval = include($file);
+                $content = ob_get_clean();

-            ob_start();
-            $retval = include($input);
-            $content = ob_get_clean();
+                // if an array is returned by the config file assume it's in plain php form else in YAML
+                $input = is_array($retval) ? $retval : $content;

-            // if an array is returned by the config file assume it's in plain php form else in YAML
-            $input = is_array($retval) ? $retval : $content;
-        }
-
-        // if an array is returned by the config file assume it's in plain php form else in YAML
-        if (is_array($input)) {
-            return $input;
+                // if an array is returned by the config file assume it's in plain php form else in YAML
+                if (is_array($input)) {
+                    return $input;
+                }
+            } else {
+                $input = file_get_contents($file);
+            }
        }

        $yaml = new Parser();