|
9 | 9 | */ |
10 | 10 | namespace Magento\Framework\Filter; |
11 | 11 |
|
| 12 | +use Magento\Framework\Model\AbstractExtensibleModel; |
| 13 | +use Magento\Framework\Model\AbstractModel; |
| 14 | + |
12 | 15 | /** |
13 | 16 | * Template filter |
14 | 17 | * |
@@ -66,7 +69,13 @@ class Template implements \Zend_Filter_Interface |
66 | 69 | /** |
67 | 70 | * @var string[] |
68 | 71 | */ |
69 | | - private $restrictedMethods = ['addafterfiltercallback']; |
| 72 | + private $restrictedMethods = [ |
| 73 | + 'addafterfiltercallback', |
| 74 | + 'getresourcecollection', |
| 75 | + 'load', |
| 76 | + 'save', |
| 77 | + 'getcollection' |
| 78 | + ]; |
70 | 79 |
|
71 | 80 | /** |
72 | 81 | * @param \Magento\Framework\Stdlib\StringUtils $string |
@@ -391,6 +400,27 @@ private function validateVariableMethodCall($object, string $method): void |
391 | 400 | } |
392 | 401 | } |
393 | 402 |
|
| 403 | + /** |
| 404 | + * Check allowed methods for data objects. |
| 405 | + * |
| 406 | + * Deny calls for methods that may disrupt template processing. |
| 407 | + * |
| 408 | + * @param object $object |
| 409 | + * @param string $method |
| 410 | + * @return bool |
| 411 | + * @throws \InvalidArgumentException |
| 412 | + */ |
| 413 | + private function isAllowedDataObjectMethod($object, string $method): bool |
| 414 | + { |
| 415 | + if ($object instanceof AbstractExtensibleModel || $object instanceof AbstractModel) { |
| 416 | + if (in_array(mb_strtolower($method), $this->restrictedMethods)) { |
| 417 | + throw new \InvalidArgumentException("Method $method cannot be called from template."); |
| 418 | + } |
| 419 | + } |
| 420 | + |
| 421 | + return true; |
| 422 | + } |
| 423 | + |
394 | 424 | /** |
395 | 425 | * Return variable value for var construction |
396 | 426 | * |
@@ -429,10 +459,13 @@ protected function getVariable($value, $default = '{no_value_defined}') |
429 | 459 | || substr($stackVars[$i]['name'], 0, 3) == 'get' |
430 | 460 | ) { |
431 | 461 | $stackVars[$i]['args'] = $this->getStackArgs($stackVars[$i]['args']); |
432 | | - $stackVars[$i]['variable'] = call_user_func_array( |
433 | | - [$stackVars[$i - 1]['variable'], $stackVars[$i]['name']], |
434 | | - $stackVars[$i]['args'] |
435 | | - ); |
| 462 | + |
| 463 | + if ($this->isAllowedDataObjectMethod($stackVars[$i - 1]['variable'], $stackVars[$i]['name'])) { |
| 464 | + $stackVars[$i]['variable'] = call_user_func_array( |
| 465 | + [$stackVars[$i - 1]['variable'], $stackVars[$i]['name']], |
| 466 | + $stackVars[$i]['args'] |
| 467 | + ); |
| 468 | + } |
436 | 469 | } |
437 | 470 | } |
438 | 471 | $last = $i; |
|
0 commit comments