MC-5947: Email templates breaking rendering

Oleksandr Gorkun · Oleksandr Gorkun · commit fabfb01c2e32 · 2019-01-24T13:38:32.000-06:00
diff --git a/lib/internal/Magento/Framework/Filter/Template.php b/lib/internal/Magento/Framework/Filter/Template.php
@@ -63,6 +63,11 @@ class Template implements \Zend_Filter_Interface
      */
     protected $string;
 
+    /**
+     * @var string[]
+     */
+    private $restrictedMethods = ['addafterfiltercallback'];
+
     /**
      * @param \Magento\Framework\Stdlib\StringUtils $string
      * @param array $variables
@@ -367,6 +372,25 @@ protected function getParameters($value)
         return $params;
     }
 
+    /**
+     * Validate method call initiated in a template.
+     *
+     * Deny calls for methods that may disrupt template processing.
+     *
+     * @param object $object
+     * @param string $method
+     * @return void
+     * @throws \InvalidArgumentException
+     */
+    private function validateVariableMethodCall($object, string $method): void
+    {
+        if ($object === $this) {
+            if (in_array(mb_strtolower($method), $this->restrictedMethods)) {
+                throw new \InvalidArgumentException("Method $method cannot be called from template.");
+            }
+        }
+    }
+
     /**
      * Return variable value for var construction
      *
@@ -414,12 +438,12 @@ protected function getVariable($value, $default = '{no_value_defined}')
                 $last = $i;
             } elseif (isset($stackVars[$i - 1]['variable']) && $stackVars[$i]['type'] == 'method') {
                 // Calling object methods
-                if (method_exists($stackVars[$i - 1]['variable'], $stackVars[$i]['name'])) {
-                    $stackVars[$i]['args'] = $this->getStackArgs($stackVars[$i]['args']);
-                    $stackVars[$i]['variable'] = call_user_func_array(
-                        [$stackVars[$i - 1]['variable'], $stackVars[$i]['name']],
-                        $stackVars[$i]['args']
-                    );
+                $object = $stackVars[$i - 1]['variable'];
+                $method = $stackVars[$i]['name'];
+                if (method_exists($object, $method)) {
+                    $args = $this->getStackArgs($stackVars[$i]['args']);
+                    $this->validateVariableMethodCall($object, $method);
+                    $stackVars[$i]['variable'] = call_user_func_array([$object, $method], $args);
                 }
                 $last = $i;
             }
diff --git a/lib/internal/Magento/Framework/Filter/Test/Unit/TemplateTest.php b/lib/internal/Magento/Framework/Filter/Test/Unit/TemplateTest.php
@@ -380,4 +380,15 @@ private function getObjectData()
         $dataObject->setAllVisibleItems($visibleItems);
         return $dataObject;
     }
+
+    /**
+     * Test adding callbacks when already filtering.
+     *
+     * @expectedException \InvalidArgumentException
+     */
+    public function testInappropriateCallbacks()
+    {
+        $this->templateFilter->setVariables(['filter' => $this->templateFilter]);
+        $this->templateFilter->filter('Test {{var filter.addAfterFilterCallback(\'mb_strtolower\')}}');
+    }
 }
