[Yaml] Yaml::parse() does not evaluate loaded files as PHP files by default anymore
This has been done to avoid security issues. To get back the old behavior, call Yaml::enablePhpParsing() first.
This commit is contained in:
parent
046cdce578
commit
6d324a6ba0
@ -118,3 +118,7 @@ To get the diff between two versions, go to https://github.com/symfony/symfony/c
|
||||
* added a SizeLength validator
|
||||
* improved the ImageValidator with min width, max width, min height, and max height constraints
|
||||
* added support for MIME with wildcard in FileValidator
|
||||
|
||||
### Yaml
|
||||
|
||||
* Yaml::parse() does not evaluate loaded files as PHP files by default anymore (call Yaml::enablePhpParsing() to get back the old behavior)
|
||||
|
@ -22,6 +22,13 @@ use Symfony\Component\Yaml\Exception\ParseException;
|
||||
*/
|
||||
class Yaml
|
||||
{
|
||||
static public $enablePhpParsing = false;
|
||||
|
||||
static public function enablePhpParsing()
|
||||
{
|
||||
self::$enablePhpParsing = true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Parses YAML into a PHP array.
|
||||
*
|
||||
@ -44,23 +51,25 @@ class Yaml
|
||||
*/
|
||||
static public function parse($input)
|
||||
{
|
||||
$file = '';
|
||||
|
||||
// if input is a file, process it
|
||||
$file = '';
|
||||
if (strpos($input, "\n") === false && is_file($input) && is_readable($input)) {
|
||||
$file = $input;
|
||||
if (self::$enablePhpParsing) {
|
||||
ob_start();
|
||||
$retval = include($file);
|
||||
$content = ob_get_clean();
|
||||
|
||||
ob_start();
|
||||
$retval = include($input);
|
||||
$content = ob_get_clean();
|
||||
// if an array is returned by the config file assume it's in plain php form else in YAML
|
||||
$input = is_array($retval) ? $retval : $content;
|
||||
|
||||
// if an array is returned by the config file assume it's in plain php form else in YAML
|
||||
$input = is_array($retval) ? $retval : $content;
|
||||
}
|
||||
|
||||
// if an array is returned by the config file assume it's in plain php form else in YAML
|
||||
if (is_array($input)) {
|
||||
return $input;
|
||||
// if an array is returned by the config file assume it's in plain php form else in YAML
|
||||
if (is_array($input)) {
|
||||
return $input;
|
||||
}
|
||||
} else {
|
||||
$input = file_get_contents($file);
|
||||
}
|
||||
}
|
||||
|
||||
$yaml = new Parser();
|
||||
|
Reference in New Issue
Block a user