Merge pull request #335 from WinterSilence/patch-2

Fix `Fenom::isAllowedFunction()`
This commit is contained in:
Ivan Shalganov 2022-06-13 15:52:24 +03:00 committed by GitHub
commit 065ccaec23
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -200,6 +200,11 @@ class Fenom
"implode" => 1 "implode" => 1
); );
/**
* @var string[] the disabled functions by `disable_functions` PHP's option
*/
protected $_disabled_funcs;
/** /**
* @var array[] of compilers and functions * @var array[] of compilers and functions
*/ */
@ -769,16 +774,38 @@ class Fenom
} }
/** /**
* @param string $function * Checks if is allowed PHP function for using in templates.
*
* @param string $function the function name
* @return bool * @return bool
*/ */
public function isAllowedFunction($function) public function isAllowedFunction($function)
{ {
if ($this->_options & self::DENY_NATIVE_FUNCS) { $function = (string) $function;
return isset($this->_allowed_funcs[$function]); $allow = ($this->_options & self::DENY_NATIVE_FUNCS)
} else { ? isset($this->_allowed_funcs[$function])
return is_callable($function); : function_exists($function);
return $allow && !in_array($function, $this->getDisabledFuncs(), true);
}
/**
* Returns the disabled PHP functions.
*
* @return string[]
*/
protected function _getDisabledFuncs()
{
if (!is_array($this->_disabled_funcs)) {
$disabled = ini_get('disable_functions');
// adds execution functions to disabled for security
$this->_disabled_funcs = array_merge(
empty($disabled) ? [] : explode(',', $disabled),
array('exec', 'system', 'passthru', 'shell_exec', 'pcntl_exec', 'proc_open', 'popen'),
array('call_user_func', 'call_user_func_array')
);
} }
return $this->_disabled_funcs;
} }
/** /**