Skip to content

Commit c2423e8

Browse files
Merge MC-13741 into 2.3-bugfixes-070219
2 parents c18fc16 + 475adc0 commit c2423e8

File tree

2 files changed

+75
-5
lines changed

2 files changed

+75
-5
lines changed

lib/internal/Magento/Framework/Filter/Template.php

Lines changed: 39 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@
99
*/
1010
namespace Magento\Framework\Filter;
1111

12+
use Magento\Framework\Model\AbstractExtensibleModel;
13+
use Magento\Framework\Model\AbstractModel;
14+
1215
/**
1316
* Template filter
1417
*
@@ -66,7 +69,14 @@ class Template implements \Zend_Filter_Interface
6669
/**
6770
* @var string[]
6871
*/
69-
private $restrictedMethods = ['addafterfiltercallback'];
72+
private $restrictedMethods = [
73+
'addafterfiltercallback',
74+
'getresourcecollection',
75+
'load',
76+
'save',
77+
'getcollection',
78+
'getresource'
79+
];
7080

7181
/**
7282
* @param \Magento\Framework\Stdlib\StringUtils $string
@@ -391,6 +401,27 @@ private function validateVariableMethodCall($object, string $method): void
391401
}
392402
}
393403

404+
/**
405+
* Check allowed methods for data objects.
406+
*
407+
* Deny calls for methods that may disrupt template processing.
408+
*
409+
* @param object $object
410+
* @param string $method
411+
* @return bool
412+
* @throws \InvalidArgumentException
413+
*/
414+
private function isAllowedDataObjectMethod($object, string $method): bool
415+
{
416+
if ($object instanceof AbstractExtensibleModel || $object instanceof AbstractModel) {
417+
if (in_array(mb_strtolower($method), $this->restrictedMethods)) {
418+
throw new \InvalidArgumentException("Method $method cannot be called from template.");
419+
}
420+
}
421+
422+
return true;
423+
}
424+
394425
/**
395426
* Return variable value for var construction
396427
*
@@ -429,10 +460,13 @@ protected function getVariable($value, $default = '{no_value_defined}')
429460
|| substr($stackVars[$i]['name'], 0, 3) == 'get'
430461
) {
431462
$stackVars[$i]['args'] = $this->getStackArgs($stackVars[$i]['args']);
432-
$stackVars[$i]['variable'] = call_user_func_array(
433-
[$stackVars[$i - 1]['variable'], $stackVars[$i]['name']],
434-
$stackVars[$i]['args']
435-
);
463+
464+
if ($this->isAllowedDataObjectMethod($stackVars[$i - 1]['variable'], $stackVars[$i]['name'])) {
465+
$stackVars[$i]['variable'] = call_user_func_array(
466+
[$stackVars[$i - 1]['variable'], $stackVars[$i]['name']],
467+
$stackVars[$i]['args']
468+
);
469+
}
436470
}
437471
}
438472
$last = $i;

lib/internal/Magento/Framework/Filter/Test/Unit/TemplateTest.php

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,17 +6,25 @@
66

77
namespace Magento\Framework\Filter\Test\Unit;
88

9+
use Magento\Store\Model\Store;
10+
911
class TemplateTest extends \PHPUnit\Framework\TestCase
1012
{
1113
/**
1214
* @var \Magento\Framework\Filter\Template
1315
*/
1416
private $templateFilter;
1517

18+
/**
19+
* @var Store
20+
*/
21+
private $store;
22+
1623
protected function setUp()
1724
{
1825
$objectManager = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
1926
$this->templateFilter = $objectManager->getObject(\Magento\Framework\Filter\Template::class);
27+
$this->store = $objectManager->getObject(Store::class);
2028
}
2129

2230
public function testFilter()
@@ -403,4 +411,32 @@ public function testInappropriateCallbacks()
403411
$this->templateFilter->setVariables(['filter' => $this->templateFilter]);
404412
$this->templateFilter->filter('Test {{var filter.addAfterFilterCallback(\'mb_strtolower\')}}');
405413
}
414+
415+
/**
416+
* Test adding callbacks when already filtering.
417+
*
418+
* @expectedException \InvalidArgumentException
419+
* @dataProvider disallowedMethods
420+
*/
421+
public function testDisallowedMethods($method)
422+
{
423+
$this->templateFilter->setVariables(['store' => $this->store]);
424+
$this->templateFilter->filter('{{var store.'.$method.'()}}');
425+
}
426+
427+
/**
428+
* Data for testDisallowedMethods method
429+
*
430+
* @return array
431+
*/
432+
public function disallowedMethods()
433+
{
434+
return [
435+
['getResourceCollection'],
436+
['load'],
437+
['save'],
438+
['getCollection'],
439+
['getResource'],
440+
];
441+
}
406442
}

0 commit comments

Comments
 (0)