merged branch inanimatt/2.0 (PR #3068)

Commits ------- 0507840 Prevent parameters from overwriting the template filename. Discussion ---------- Prevent parameters from overwriting the template filename. Fixes a potential arbitrary file execution exploit.
2012-01-09 14:01:32 +01:00 · 2012-01-09 14:01:32 +01:00 · caec56fbe3
commit caec56fbe3
parent 2f0afb2b5a 0507840b67
1 changed files with 7 additions and 2 deletions
--- a/src/Symfony/Component/Templating/PhpEngine.php
+++ b/src/Symfony/Component/Templating/PhpEngine.php
@ -150,15 +150,20 @@ class PhpEngine implements EngineInterface, \ArrayAccess
    protected function evaluate(Storage $template, array $parameters = array())
    {
        $__template__ = $template;
+        
+        if (isset($parameters['__template__'])) {
+            throw new \InvalidArgumentException('Invalid parameter (__template__)');
+        }
+        
        if ($__template__ instanceof FileStorage) {
-            extract($parameters);
+            extract($parameters, EXTR_SKIP);
            $view = $this;
            ob_start();
            require $__template__;

            return ob_get_clean();
        } elseif ($__template__ instanceof StringStorage) {
-            extract($parameters);
+            extract($parameters, EXTR_SKIP);
            $view = $this;
            ob_start();
            eval('; ?>'.$__template__.'<?php ;');