From 36a49052ca2db4357102993bbd14a224b910b91b Mon Sep 17 00:00:00 2001
From: Oliver Skroblin <o.skroblin@shopware.com>
Date: Thu, 22 Jun 2017 13:51:11 +0200
Subject: [PATCH 1/2] SW-18917 - Optimize template security for mail preview
 and merchant mails

---
 engine/Shopware/Components/StringCompiler.php |  1 -
 .../Shopware/Components/Template/Security.php | 41 +++++++++++++++++++
 engine/Shopware/Configs/Default.php           |  3 ++
 engine/Shopware/Controllers/Backend/Mail.php  |  8 ++++
 .../Shopware/Controllers/Backend/Widgets.php  |  8 ++++
 5 files changed, 60 insertions(+), 1 deletion(-)
 create mode 100644 engine/Shopware/Components/Template/Security.php

diff --git a/engine/Shopware/Components/StringCompiler.php b/engine/Shopware/Components/StringCompiler.php
index cd86bd0858e..6c065d0d5c3 100644
--- a/engine/Shopware/Components/StringCompiler.php
+++ b/engine/Shopware/Components/StringCompiler.php
@@ -164,7 +164,6 @@ public function compileSmartyString($value, $context)
 
         try {
             $template = $templateEngine->createTemplate('string:' . $value);
-            $template->enableSecurity();
             $template->assign($context);
             $template = $template->fetch();
         } catch (SmartyCompilerException $e) {
diff --git a/engine/Shopware/Components/Template/Security.php b/engine/Shopware/Components/Template/Security.php
new file mode 100644
index 00000000000..232c0dd8208
--- /dev/null
+++ b/engine/Shopware/Components/Template/Security.php
@@ -0,0 +1,41 @@
+<?php
+/**
+ * Shopware 5
+ * Copyright (c) shopware AG
+ *
+ * According to our dual licensing model, this program can be used either
+ * under the terms of the GNU Affero General Public License, version 3,
+ * or under a proprietary license.
+ *
+ * The texts of the GNU Affero General Public License with an additional
+ * permission and of our proprietary license can be found at and
+ * in the LICENSE file you have received along with this program.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * "Shopware" is a registered trademark of shopware AG.
+ * The licensing of the program under the AGPLv3 does not imply a
+ * trademark license. Therefore any rights, title and interest in
+ * our trademarks remain entirely with us.
+ */
+
+namespace Shopware\Components\Template;
+
+class Security extends \Smarty_Security
+{
+    public function __construct(\Smarty $smarty, $config = [])
+    {
+        if (is_array($config)) {
+            foreach ($config as $key => $value) {
+                if (property_exists($this, $key)) {
+                    $this->$key = $value;
+                }
+            }
+        }
+
+        parent::__construct($smarty);
+    }
+}
diff --git a/engine/Shopware/Configs/Default.php b/engine/Shopware/Configs/Default.php
index c247b48f21c..d34ff21bdf3 100644
--- a/engine/Shopware/Configs/Default.php
+++ b/engine/Shopware/Configs/Default.php
@@ -199,4 +199,7 @@
         'use_trans_sid' => 0,
         'locking' => false,
     ],
+    'template_security' => [
+        'php_modifiers' => ['nl2br', 'escape', 'count'],
+    ],
 ], $customConfig);
diff --git a/engine/Shopware/Controllers/Backend/Mail.php b/engine/Shopware/Controllers/Backend/Mail.php
index 4016fbe21ce..0e8f07cbc3c 100644
--- a/engine/Shopware/Controllers/Backend/Mail.php
+++ b/engine/Shopware/Controllers/Backend/Mail.php
@@ -22,6 +22,7 @@
  * our trademarks remain entirely with us.
  */
 
+use Shopware\Components\Template\Security;
 use Shopware\Models\Mail\Attachment;
 use Shopware\Models\Mail\Mail;
 use Shopware\Models\Shop\Shop;
@@ -353,6 +354,13 @@ public function verifySmartyAction()
             $this->View()->assign(['success' => false, 'message' => 'Value not found']);
         }
 
+        $this->View()->Engine()->enableSecurity(
+            new Security(
+                $this->View()->Engine(),
+                $this->container->getParameter('shopware.template_security')
+            )
+        );
+
         $compiler = new Shopware_Components_StringCompiler($this->View()->Engine());
 
         $shop = Shopware()->Models()->getRepository(Shop::class)->getActiveDefault();
diff --git a/engine/Shopware/Controllers/Backend/Widgets.php b/engine/Shopware/Controllers/Backend/Widgets.php
index 986773d7823..daee4fd143a 100644
--- a/engine/Shopware/Controllers/Backend/Widgets.php
+++ b/engine/Shopware/Controllers/Backend/Widgets.php
@@ -22,6 +22,7 @@
  * our trademarks remain entirely with us.
  */
 
+use Shopware\Components\Template\Security;
 use Shopware\Models\Shop\Locale;
 
 /**
@@ -677,6 +678,13 @@ public function sendMailToMerchantAction()
 
         $content = preg_replace('`<br(?: /)?>([\\n\\r])`', '$1', $params['content']);
 
+        $this->View()->Engine()->enableSecurity(
+            new Security(
+                $this->View()->Engine(),
+                $this->container->getParameter('shopware.template_security')
+            )
+        );
+
         $compiler = new Shopware_Components_StringCompiler($this->View()->Engine());
         $defaultContext = [
             'sConfig' => Shopware()->Config(),

From 283bb52301af9fef4da9bc8d8cc4b6a1f27bc767 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jens=20K=C3=BCper?= <J.Kueper@shopware.com>
Date: Thu, 22 Jun 2017 14:39:30 +0200
Subject: [PATCH 2/2] SW-18917 - Add whitelist for smarty functions

---
 engine/Shopware/Configs/Default.php          |   3 +-
 engine/Shopware/Configs/smarty_functions.php | 358 +++++++++++++++++++
 2 files changed, 360 insertions(+), 1 deletion(-)
 create mode 100644 engine/Shopware/Configs/smarty_functions.php

diff --git a/engine/Shopware/Configs/Default.php b/engine/Shopware/Configs/Default.php
index d34ff21bdf3..e10a3f7be89 100644
--- a/engine/Shopware/Configs/Default.php
+++ b/engine/Shopware/Configs/Default.php
@@ -200,6 +200,7 @@
         'locking' => false,
     ],
     'template_security' => [
-        'php_modifiers' => ['nl2br', 'escape', 'count'],
+        'php_modifiers' => include __DIR__ . '/smarty_functions.php',
+        'php_functions' => include __DIR__ . '/smarty_functions.php',
     ],
 ], $customConfig);
diff --git a/engine/Shopware/Configs/smarty_functions.php b/engine/Shopware/Configs/smarty_functions.php
new file mode 100644
index 00000000000..d303b691180
--- /dev/null
+++ b/engine/Shopware/Configs/smarty_functions.php
@@ -0,0 +1,358 @@
+<?php
+/**
+ * Shopware 5
+ * Copyright (c) shopware AG
+ *
+ * According to our dual licensing model, this program can be used either
+ * under the terms of the GNU Affero General Public License, version 3,
+ * or under a proprietary license.
+ *
+ * The texts of the GNU Affero General Public License with an additional
+ * permission and of our proprietary license can be found at and
+ * in the LICENSE file you have received along with this program.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * "Shopware" is a registered trademark of shopware AG.
+ * The licensing of the program under the AGPLv3 does not imply a
+ * trademark license. Therefore any rights, title and interest in
+ * our trademarks remain entirely with us.
+ */
+
+return [
+    'abs',
+    'acos',
+    'acosh',
+    'addcslashes',
+    'addslashes',
+    'array_change_key_case',
+    'array_chunk',
+    'array_column',
+    'array_combine',
+    'array_count_values',
+    'array_diff',
+    'array_diff_assoc',
+    'array_diff_key',
+    'array_diff_uassoc',
+    'array_diff_ukey',
+    'array_fill',
+    'array_fill_keys',
+    'array_filter',
+    'array_flip',
+    'array_intersect',
+    'array_intersect_assoc',
+    'array_intersect_key',
+    'array_intersect_uassoc',
+    'array_intersect_ukey',
+    'array_key_exists',
+    'array_keys',
+    'array_map',
+    'array_merge',
+    'array_merge_recursive',
+    'array_multisort',
+    'array_pad',
+    'array_pop',
+    'array_product',
+    'array_push',
+    'array_rand',
+    'array_reduce',
+    'array_replace',
+    'array_replace_recursive',
+    'array_reverse',
+    'array_search',
+    'array_shift',
+    'array_slice',
+    'array_splice',
+    'array_sum',
+    'array_udiff',
+    'array_udiff_assoc',
+    'array_udiff_uassoc',
+    'array_uintersect',
+    'array_uintersect_assoc',
+    'array_uintersect_uassoc',
+    'array_unique',
+    'array_unshift',
+    'array_values',
+    'array_walk',
+    'array_walk_recursive',
+    'arsort',
+    'asin',
+    'asinh',
+    'asort',
+    'atan',
+    'atan2',
+    'atanh',
+    'base64_decode',
+    'base64_encode',
+    'base_convert',
+    'bin2hex',
+    'bindec',
+    'boolval',
+    'cal_days_in_month',
+    'cal_from_jd',
+    'cal_info',
+    'cal_to_jd',
+    'ceil',
+    'checkdate',
+    'chop',
+    'chr',
+    'chunk_split',
+    'compact',
+    'constant',
+    'convert_cyr_string',
+    'convert_uudecode',
+    'convert_uuencode',
+    'cos',
+    'cosh',
+    'count',
+    'count_chars',
+    'crypt',
+    'ctype_alnum',
+    'ctype_alpha',
+    'ctype_cntrl',
+    'ctype_digit',
+    'ctype_graph',
+    'ctype_lower',
+    'ctype_print',
+    'ctype_punct',
+    'ctype_space',
+    'ctype_upper',
+    'ctype_xdigit',
+    'current',
+    'date',
+    'date_add',
+    'date_create',
+    'date_create_from_format',
+    'date_create_immutable',
+    'date_create_immutable_from_format',
+    'date_date_set',
+    'date_default_timezone_get',
+    'date_diff',
+    'date_format',
+    'date_get_last_errors',
+    'date_interval_create_from_date_string',
+    'date_interval_format',
+    'date_modify',
+    'date_offset_get',
+    'date_parse',
+    'date_parse_from_format',
+    'date_sub',
+    'date_sun_info',
+    'date_sunrise',
+    'date_sunset',
+    'date_timestamp_get',
+    'date_timezone_get',
+    'decbin',
+    'dechex',
+    'decoct',
+    'deg2rad',
+    'doubleval',
+    'each',
+    'easter_date',
+    'easter_days',
+    'end',
+    'exp',
+    'explode',
+    'expm1',
+    'filter_has_var',
+    'filter_id',
+    'filter_input',
+    'filter_input_array',
+    'filter_list',
+    'filter_var',
+    'filter_var_array',
+    'floatval',
+    'floor',
+    'fmod',
+    'frenchtojd',
+    'get_browser',
+    'getdate',
+    'getrandmax',
+    'gettimeofday',
+    'gettype',
+    'gmdate',
+    'gmmktime',
+    'gmstrftime',
+    'gregoriantojd',
+    'hex2bin',
+    'hexdec',
+    'html_entity_decode',
+    'htmlentities',
+    'htmlspecialchars',
+    'htmlspecialchars_decode',
+    'hypot',
+    'iconv',
+    'iconv_get_encoding',
+    'iconv_mime_decode',
+    'iconv_mime_decode_headers',
+    'iconv_mime_encode',
+    'iconv_set_encoding',
+    'iconv_strlen',
+    'iconv_strpos',
+    'iconv_strrpos',
+    'iconv_substr',
+    'idate',
+    'implode',
+    'in_array',
+    'intdiv',
+    'intval',
+    'ip2long',
+    'is_array',
+    'is_bool',
+    'is_double',
+    'is_finite',
+    'is_float',
+    'is_infinite',
+    'is_int',
+    'is_integer',
+    'is_iterable',
+    'is_long',
+    'is_nan',
+    'is_null',
+    'is_numeric',
+    'is_string',
+    'iterator_apply',
+    'iterator_count',
+    'iterator_to_array',
+    'jddayofweek',
+    'jdmonthname',
+    'jdtofrench',
+    'jdtogregorian',
+    'jdtojewish',
+    'jdtojulian',
+    'jdtounix',
+    'jewishtojd',
+    'join',
+    'json_decode',
+    'json_encode',
+    'json_last_error',
+    'json_last_error_msg',
+    'juliantojd',
+    'key',
+    'key_exists',
+    'ksort',
+    'lcfirst',
+    'levenshtein',
+    'localtime',
+    'log',
+    'log10',
+    'log1p',
+    'long2ip',
+    'ltrim',
+    'max',
+    'md5',
+    'mhash',
+    'mhash_count',
+    'mhash_get_block_size',
+    'mhash_get_hash_name',
+    'mhash_keygen_s2k',
+    'microtime',
+    'min',
+    'mktime',
+    'money_format',
+    'mt_getrandmax',
+    'mt_rand',
+    'mt_srand',
+    'natcasesort',
+    'natsort',
+    'next',
+    'nl2br',
+    'number_format',
+    'octdec',
+    'ord',
+    'parse_str',
+    'parse_url',
+    'php_strip_whitespace',
+    'pi',
+    'pos',
+    'pow',
+    'prev',
+    'printf',
+    'rad2deg',
+    'rand',
+    'random_bytes',
+    'random_int',
+    'range',
+    'rawurldecode',
+    'rawurlencode',
+    'reset',
+    'round',
+    'rsort',
+    'rtrim',
+    'serialize',
+    'sha1',
+    'shuffle',
+    'similar_text',
+    'sin',
+    'sinh',
+    'sizeof',
+    'sort',
+    'soundex',
+    'sprintf',
+    'sqrt',
+    'srand',
+    'str_ireplace',
+    'str_pad',
+    'str_repeat',
+    'str_replace',
+    'str_rot13',
+    'str_shuffle',
+    'str_split',
+    'str_word_count',
+    'strcasecmp',
+    'strchr',
+    'strcmp',
+    'strcoll',
+    'strcspn',
+    'strftime',
+    'strip_tags',
+    'stripcslashes',
+    'stripos',
+    'stripslashes',
+    'stristr',
+    'strlen',
+    'strnatcasecmp',
+    'strnatcmp',
+    'strncasecmp',
+    'strncmp',
+    'strpbrk',
+    'strpos',
+    'strptime',
+    'strrchr',
+    'strrev',
+    'strripos',
+    'strrpos',
+    'strspn',
+    'strstr',
+    'strtok',
+    'strtolower',
+    'strtotime',
+    'strtoupper',
+    'strtr',
+    'strval',
+    'substr',
+    'substr_compare',
+    'substr_count',
+    'substr_replace',
+    'tan',
+    'tanh',
+    'time',
+    'trim',
+    'uasort',
+    'ucfirst',
+    'ucwords',
+    'uksort',
+    'uniqid',
+    'unixtojd',
+    'unserialize',
+    'urldecode',
+    'urlencode',
+    'usort',
+    'utf8_decode',
+    'utf8_encode',
+    'version_compare',
+    'wordwrap',
+];