Merge pull request #5102 in SW/shopware from sw-18917/5.2/fix-string-…

…compiler to 5.2 * commit '283bb52301af9fef4da9bc8d8cc4b6a1f27bc767': SW-18917 - Add whitelist for smarty functions SW-18917 - Optimize template security for mail preview and merchant mails
shopware5 · Jun 22, 2017 · 2c51320 · 2c51320
2 parents 710beec + 283bb52
commit 2c51320
Show file tree

Hide file tree

Showing 6 changed files with 419 additions and 1 deletion.
diff --git a/engine/Shopware/Components/StringCompiler.php b/engine/Shopware/Components/StringCompiler.php
@@ -164,7 +164,6 @@ public function compileSmartyString($value, $context)
 
         try {
             $template = $templateEngine->createTemplate('string:' . $value);
-            $template->enableSecurity();
             $template->assign($context);
             $template = $template->fetch();
         } catch (SmartyCompilerException $e) {

diff --git a/engine/Shopware/Components/Template/Security.php b/engine/Shopware/Components/Template/Security.php
@@ -0,0 +1,41 @@
+<?php
+/**
+ * Shopware 5
+ * Copyright (c) shopware AG
+ *
+ * According to our dual licensing model, this program can be used either
+ * under the terms of the GNU Affero General Public License, version 3,
+ * or under a proprietary license.
+ *
+ * The texts of the GNU Affero General Public License with an additional
+ * permission and of our proprietary license can be found at and
+ * in the LICENSE file you have received along with this program.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * "Shopware" is a registered trademark of shopware AG.
+ * The licensing of the program under the AGPLv3 does not imply a
+ * trademark license. Therefore any rights, title and interest in
+ * our trademarks remain entirely with us.
+ */
+
+namespace Shopware\Components\Template;
+
+class Security extends \Smarty_Security
+{
+    public function __construct(\Smarty $smarty, $config = [])
+    {
+        if (is_array($config)) {
+            foreach ($config as $key => $value) {
+                if (property_exists($this, $key)) {
+                    $this->$key = $value;
+                }
+            }
+        }
+
+        parent::__construct($smarty);
+    }
+}
diff --git a/engine/Shopware/Configs/Default.php b/engine/Shopware/Configs/Default.php
@@ -199,4 +199,8 @@
         'use_trans_sid' => 0,
         'locking' => false,
     ],
+    'template_security' => [
+        'php_modifiers' => include __DIR__ . '/smarty_functions.php',
+        'php_functions' => include __DIR__ . '/smarty_functions.php',
+    ],
 ], $customConfig);