mirror of
https://github.com/Combodo/iTop.git
synced 2026-05-21 08:12:26 +02:00
N°5725 - Twig update 'filter', 'map' and 'reduce' filters
This commit is contained in:
Eric Espie
@@ -20,6 +20,7 @@
|
||||
namespace Combodo\iTop\Portal\Twig;
|
||||
|
||||
use Dict;
|
||||
use PhpParser\Node\Expr\Closure;
|
||||
use Twig\Extension\AbstractExtension;
|
||||
use Twig_SimpleFilter;
|
||||
use Twig_SimpleFunction;
|
||||
@@ -98,7 +99,7 @@ class AppExtension extends AbstractExtension
|
||||
return $sUrl;
|
||||
});
|
||||
//since 2.7.7 3.0.2 3.1.0 N°4867 "Twig content not allowed" error when use the extkey widget search icon in the user portal
|
||||
//overwrite native twig filter : disable use of 'system' filter
|
||||
// Since 2.7.8 filter more functions as filter 'filter' is used by the portal
|
||||
$filters[] = new Twig_SimpleFilter('filter', function ($array, $arrow) {
|
||||
$ret = $this->SanitizeFilter($array, $arrow);
|
||||
if ($ret !== false) {
|
||||
@@ -106,20 +107,13 @@ class AppExtension extends AbstractExtension
|
||||
}
|
||||
return twig_array_filter($array, $arrow);
|
||||
});
|
||||
// Since 2.7.8 deactivate map
|
||||
$filters[] = new Twig_SimpleFilter('map', function ($array, $arrow) {
|
||||
$ret = $this->SanitizeFilter($array, $arrow);
|
||||
if ($ret !== false) {
|
||||
return [$ret];
|
||||
}
|
||||
return twig_array_map($array, $arrow);
|
||||
return $array;
|
||||
});
|
||||
// Since 2.7.8 deactivate reduce
|
||||
$filters[] = new Twig_SimpleFilter('reduce', function ($array, $arrow, $initial = null) {
|
||||
$ret = $this->SanitizeFilter($array, $arrow);
|
||||
if ($ret !== false) {
|
||||
return $ret;
|
||||
}
|
||||
// reduce return mixed results not only arrays
|
||||
return twig_array_reduce($array, $arrow, $initial);
|
||||
return $array;
|
||||
});
|
||||
|
||||
return $filters;
|
||||
@@ -127,10 +121,67 @@ class AppExtension extends AbstractExtension
|
||||
|
||||
private function SanitizeFilter($array, $arrow)
|
||||
{
|
||||
$aRestricted = [
|
||||
'system',
|
||||
'exec',
|
||||
'passthru',
|
||||
'popen',
|
||||
'proc_open',
|
||||
'shell_exec',
|
||||
'file_get_contents',
|
||||
'file_put_contents',
|
||||
'eval',
|
||||
'pcntl_exec',
|
||||
'chgrp',
|
||||
'chmod',
|
||||
'chown',
|
||||
'lchgrp',
|
||||
'lchown',
|
||||
'umask',
|
||||
'copy',
|
||||
'delete',
|
||||
'unlink',
|
||||
'link',
|
||||
'mkdir',
|
||||
'rmdir',
|
||||
'rename',
|
||||
'symlink',
|
||||
'tempnam',
|
||||
'tmpfile',
|
||||
'touch',
|
||||
'fgetc',
|
||||
'fgetcsv',
|
||||
'fgets',
|
||||
'fgetss',
|
||||
'file',
|
||||
'flock',
|
||||
'fopen',
|
||||
'fpassthru',
|
||||
'fputcsv',
|
||||
'fputs',
|
||||
'fread',
|
||||
'fscanf',
|
||||
'ftruncate',
|
||||
'fwrite',
|
||||
'glob',
|
||||
'readfile',
|
||||
'readlink',
|
||||
'parse_ini_file',
|
||||
'mail',
|
||||
];
|
||||
$aRestrictedStartWith = ['ftp_', 'zip_', 'stream_'];
|
||||
|
||||
if (is_string($arrow)) {
|
||||
if (in_array(strtolower($arrow), ['system', 'exec', 'passthru', 'popen'])) {
|
||||
if (in_array(strtolower($arrow), $aRestricted)) {
|
||||
return json_encode($array);
|
||||
}
|
||||
foreach ($aRestrictedStartWith as $sRestrictedStartWith) {
|
||||
if (utils::StartsWith($arrow, $sRestrictedStartWith)) {
|
||||
return json_encode($array);
|
||||
}
|
||||
}
|
||||
} elseif ($arrow instanceof Closure) {
|
||||
return json_encode($array);
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user