Merge pull request #3720 from magento-tsg/2.2.8-develop-pr74

xmav · web-flow · commit ffc69d40d3c4 · 2019-02-09T14:58:42.000+02:00
[TSG] Backporting for 2.2 (pr74) (2.2.8-develop)
diff --git a/app/bootstrap.php b/app/bootstrap.php
@@ -8,6 +8,7 @@
  * Environment initialization
  */
 error_reporting(E_ALL);
+stream_wrapper_unregister('phar');
 #ini_set('display_errors', 1);
 
 /* PHP version validation */
diff --git a/lib/internal/Magento/Framework/Filter/Template.php b/lib/internal/Magento/Framework/Filter/Template.php
@@ -9,6 +9,9 @@
  */
 namespace Magento\Framework\Filter;
 
+use Magento\Framework\Model\AbstractExtensibleModel;
+use Magento\Framework\Model\AbstractModel;
+
 /**
  * @api
  */
@@ -55,7 +58,14 @@ class Template implements \Zend_Filter_Interface
     /**
      * @var string[]
      */
-    private $restrictedMethods = ['addafterfiltercallback'];
+    private $restrictedMethods = [
+        'addafterfiltercallback',
+        'getresourcecollection',
+        'load',
+        'save',
+        'getcollection',
+        'getresource'
+    ];
 
     /**
      * @param \Magento\Framework\Stdlib\StringUtils $string
@@ -321,6 +331,27 @@ private function validateVariableMethodCall($object, string $method)
         }
     }
 
+    /**
+     * Check allowed methods for data objects.
+     *
+     * Deny calls for methods that may disrupt template processing.
+     *
+     * @param object $object
+     * @param string $method
+     * @return bool
+     * @throws \InvalidArgumentException
+     */
+    private function isAllowedDataObjectMethod($object, string $method): bool
+    {
+        if ($object instanceof AbstractExtensibleModel || $object instanceof AbstractModel) {
+            if (in_array(mb_strtolower($method), $this->restrictedMethods)) {
+                throw new \InvalidArgumentException("Method $method cannot be called from template.");
+            }
+        }
+
+        return true;
+    }
+
     /**
      * Return variable value for var construction
      *
@@ -360,14 +391,20 @@ protected function getVariable($value, $default = '{no_value_defined}')
                             || substr($stackVars[$i]['name'], 0, 3) == 'get'
                     ) {
                         $stackVars[$i]['args'] = $this->getStackArgs($stackVars[$i]['args']);
-                        $stackVars[$i]['variable'] = call_user_func_array(
-                            [$stackVars[$i - 1]['variable'], $stackVars[$i]['name']],
-                            $stackVars[$i]['args']
-                        );
+
+                        if ($this->isAllowedDataObjectMethod($stackVars[$i - 1]['variable'], $stackVars[$i]['name'])) {
+                            $stackVars[$i]['variable'] = call_user_func_array(
+                                [$stackVars[$i - 1]['variable'], $stackVars[$i]['name']],
+                                $stackVars[$i]['args']
+                            );
+                        }
                     }
                 }
                 $last = $i;
-            } elseif (isset($stackVars[$i - 1]['variable']) && $stackVars[$i]['type'] == 'method') {
+            } elseif (isset($stackVars[$i - 1]['variable'])
+                      && is_object($stackVars[$i - 1]['variable'])
+                      && $stackVars[$i]['type'] == 'method'
+            ) {
                 // Calling object methods
                 $object = $stackVars[$i - 1]['variable'];
                 $method = $stackVars[$i]['name'];
diff --git a/lib/internal/Magento/Framework/Filter/Test/Unit/TemplateTest.php b/lib/internal/Magento/Framework/Filter/Test/Unit/TemplateTest.php
@@ -6,17 +6,25 @@
 
 namespace Magento\Framework\Filter\Test\Unit;
 
+use Magento\Store\Model\Store;
+
 class TemplateTest extends \PHPUnit\Framework\TestCase
 {
     /**
      * @var \Magento\Framework\Filter\Template
      */
     private $templateFilter;
 
+    /**
+     * @var Store
+     */
+    private $store;
+
     protected function setUp()
     {
         $objectManager = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
         $this->templateFilter = $objectManager->getObject(\Magento\Framework\Filter\Template::class);
+        $this->store = $objectManager->getObject(Store::class);
     }
 
     public function testFilter()
@@ -216,4 +224,49 @@ public function testInappropriateCallbacks()
         $this->templateFilter->setVariables(['filter' => $this->templateFilter]);
         $this->templateFilter->filter('Test {{var filter.addAfterFilterCallback(\'mb_strtolower\')}}');
     }
+
+    /**
+     * Test adding callbacks when already filtering.
+     *
+     * @param string $method
+     * @dataProvider disallowedMethods
+     * @expectedException \InvalidArgumentException
+     *
+     * @return void
+     */
+    public function testDisallowedMethods(string $method)
+    {
+        $this->templateFilter->setVariables(['store' => $this->store]);
+        $this->templateFilter->filter('{{var store.'.$method.'()}}');
+    }
+
+    /**
+     * Data for testDisallowedMethods method.
+     *
+     * @return array
+     */
+    public function disallowedMethods(): array
+    {
+        return [
+            ['getResourceCollection'],
+            ['load'],
+            ['save'],
+            ['getCollection'],
+            ['getResource'],
+        ];
+    }
+
+    /**
+     * Check that if calling a method of an object fails expected result is returned.
+     *
+     * @return void
+     */
+    public function testInvalidMethodCall()
+    {
+        $this->templateFilter->setVariables(['dateTime' => '\DateTime']);
+        $this->assertEquals(
+            '\DateTime',
+            $this->templateFilter->filter('{{var dateTime.createFromFormat(\'d\',\'1548201468\')}}')
+        );
+    }
 }
