diff --git a/datamodels/2.x/itop-portal-base/portal/src/Twig/AppExtension.php b/datamodels/2.x/itop-portal-base/portal/src/Twig/AppExtension.php
index c4f51f9c7..8e29416aa 100644
--- a/datamodels/2.x/itop-portal-base/portal/src/Twig/AppExtension.php
+++ b/datamodels/2.x/itop-portal-base/portal/src/Twig/AppExtension.php
@@ -20,6 +20,7 @@
namespace Combodo\iTop\Portal\Twig;
use Dict;
+use PhpParser\Node\Expr\Closure;
use Twig\Extension\AbstractExtension;
use Twig_SimpleFilter;
use Twig_SimpleFunction;
@@ -98,7 +99,7 @@ class AppExtension extends AbstractExtension
return $sUrl;
});
//since 2.7.7 3.0.2 3.1.0 N°4867 "Twig content not allowed" error when use the extkey widget search icon in the user portal
- //overwrite native twig filter : disable use of 'system' filter
+ // Since 2.7.8 filter more functions as filter 'filter' is used by the portal
$filters[] = new Twig_SimpleFilter('filter', function ($array, $arrow) {
$ret = $this->SanitizeFilter($array, $arrow);
if ($ret !== false) {
@@ -106,20 +107,13 @@ class AppExtension extends AbstractExtension
}
return twig_array_filter($array, $arrow);
});
+ // Since 2.7.8 deactivate map
$filters[] = new Twig_SimpleFilter('map', function ($array, $arrow) {
- $ret = $this->SanitizeFilter($array, $arrow);
- if ($ret !== false) {
- return [$ret];
- }
- return twig_array_map($array, $arrow);
+ return $array;
});
+ // Since 2.7.8 deactivate reduce
$filters[] = new Twig_SimpleFilter('reduce', function ($array, $arrow, $initial = null) {
- $ret = $this->SanitizeFilter($array, $arrow);
- if ($ret !== false) {
- return $ret;
- }
- // reduce return mixed results not only arrays
- return twig_array_reduce($array, $arrow, $initial);
+ return $array;
});
return $filters;
@@ -127,10 +121,67 @@ class AppExtension extends AbstractExtension
private function SanitizeFilter($array, $arrow)
{
+ $aRestricted = [
+ 'system',
+ 'exec',
+ 'passthru',
+ 'popen',
+ 'proc_open',
+ 'shell_exec',
+ 'file_get_contents',
+ 'file_put_contents',
+ 'eval',
+ 'pcntl_exec',
+ 'chgrp',
+ 'chmod',
+ 'chown',
+ 'lchgrp',
+ 'lchown',
+ 'umask',
+ 'copy',
+ 'delete',
+ 'unlink',
+ 'link',
+ 'mkdir',
+ 'rmdir',
+ 'rename',
+ 'symlink',
+ 'tempnam',
+ 'tmpfile',
+ 'touch',
+ 'fgetc',
+ 'fgetcsv',
+ 'fgets',
+ 'fgetss',
+ 'file',
+ 'flock',
+ 'fopen',
+ 'fpassthru',
+ 'fputcsv',
+ 'fputs',
+ 'fread',
+ 'fscanf',
+ 'ftruncate',
+ 'fwrite',
+ 'glob',
+ 'readfile',
+ 'readlink',
+ 'parse_ini_file',
+ 'mail',
+ ];
+ $aRestrictedStartWith = ['ftp_', 'zip_', 'stream_'];
+
if (is_string($arrow)) {
- if (in_array(strtolower($arrow), ['system', 'exec', 'passthru', 'popen'])) {
+ if (in_array(strtolower($arrow), $aRestricted)) {
return json_encode($array);
}
+ foreach ($aRestrictedStartWith as $sRestrictedStartWith) {
+ if (utils::StartsWith($arrow, $sRestrictedStartWith)) {
+ return json_encode($array);
+ }
+ }
+ } elseif ($arrow instanceof Closure) {
+ return json_encode($array);
}
return false;
}
diff --git a/test/twig/test.html b/test/twig/test.html
index 3fb370a80..15039796e 100644
--- a/test/twig/test.html
+++ b/test/twig/test.html
@@ -19,7 +19,7 @@
["touch+\/tmp\/test+"]
[34, 36, 38, 40, 42]|filter(v => v > 38)|join(', ')
-40, 42
+[34,36,38,40,42]
app.request.server.all|join(',')
@@ -28,16 +28,16 @@
[0]|reduce('system','echo')
-[0]
+0
[1, 2, 3]|reduce((carry, v) => carry + v)
-6
+1, 2, 3
['echo']|map('system')|join
-["echo"]
+echo
{"Bob": "Smith", "Alice": "Dupond"}|map((value, key) => "#{key} #{value}")|join(', ')
-Bob Smith, Alice Dupond
+Smith, Dupond
['echo',1]|sort('system')|join
echo1
diff --git a/test/twig/test.html.twig b/test/twig/test.html.twig
index 1e350299f..1232f8104 100644
--- a/test/twig/test.html.twig
+++ b/test/twig/test.html.twig
@@ -28,11 +28,11 @@
{{ self }}
[0]|reduce('system','echo')
-{{ [0]|reduce('system','echo') }}
+{{ [0]|reduce('system','echo')|join(', ') }}
[1, 2, 3]|reduce((carry, v) => carry + v)
{% set numbers = [1, 2, 3] %}
-{{ numbers|reduce((carry, v) => carry + v) }}
+{{ numbers|reduce((carry, v) => carry + v)|join(', ') }}
['echo']|map('system')|join
{{ ['echo']|map('system')|join }}