[HttpKernel] Prevent php script execution in cached ESI pages using HttpCache
This commit is contained in:
parent
7c338de412
commit
7f96c8ad17
@ -154,6 +154,7 @@ class Esi
|
|||||||
|
|
||||||
// we don't use a proper XML parser here as we can have ESI tags in a plain text response
|
// we don't use a proper XML parser here as we can have ESI tags in a plain text response
|
||||||
$content = $response->getContent();
|
$content = $response->getContent();
|
||||||
|
$content = str_replace(array('<?', '<%'), array('<?php echo "<?"; ?>', '<?php echo "<%"; ?>'), $content);
|
||||||
$content = preg_replace_callback('#<esi\:include\s+(.*?)\s*/>#', array($this, 'handleEsiIncludeTag'), $content);
|
$content = preg_replace_callback('#<esi\:include\s+(.*?)\s*/>#', array($this, 'handleEsiIncludeTag'), $content);
|
||||||
$content = preg_replace('#<esi\:comment[^>]*/>#', '', $content);
|
$content = preg_replace('#<esi\:comment[^>]*/>#', '', $content);
|
||||||
$content = preg_replace('#<esi\:remove>.*?</esi\:remove>#', '', $content);
|
$content = preg_replace('#<esi\:remove>.*?</esi\:remove>#', '', $content);
|
||||||
|
@ -109,6 +109,17 @@ class EsiTest extends \PHPUnit_Framework_TestCase
|
|||||||
$this->assertEquals('foo <?php echo $this->esi->handle($this, \'...\', \'\', false) ?>'."\n", $response->getContent());
|
$this->assertEquals('foo <?php echo $this->esi->handle($this, \'...\', \'\', false) ?>'."\n", $response->getContent());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testProcessEscapesPhpTags()
|
||||||
|
{
|
||||||
|
$esi = new Esi();
|
||||||
|
|
||||||
|
$request = Request::create('/');
|
||||||
|
$response = new Response('foo <?php die("foo"); ?><%= "lala" %>');
|
||||||
|
$esi->process($request, $response);
|
||||||
|
|
||||||
|
$this->assertEquals('foo <?php echo "<?"; ?>php die("foo"); ?><?php echo "<%"; ?>= "lala" %>', $response->getContent());
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @expectedException RuntimeException
|
* @expectedException RuntimeException
|
||||||
*/
|
*/
|
||||||
|
Reference in New Issue
Block a user