Merge pull request #335 from WinterSilence/patch-2

Fix `Fenom::isAllowedFunction()`
Merge pull request #337 from WinterSilence/patch-3
2022-06-13 15:52:24 +03:00 · 2022-06-13 15:51:26 +03:00 · 2022-06-12 12:10:23 +03:00 · 2022-06-12 11:46:43 +03:00 · 2022-06-12 10:44:00 +03:00
2 changed files with 33 additions and 6 deletions
--- a/docs/ru/ext/extend.md
+++ b/docs/ru/ext/extend.md
@ -27,7 +27,7 @@ $fenom->addFunction("some_function", $some_function, function (Fenom\Tokenizer $
 Существует более простой способ добавления произвольной функции:

 ```php
-$fenom->addFunctionSmarty(string $function_name, callable $callback);
+$fenom->addFunctionSmart(string $function_name, callable $callback);
 ```

 В данном случае парсер сканирует список аргументов коллбека и попробует сопоставить с аргументами тега.
--- a/src/Fenom.php
+++ b/src/Fenom.php
@ -200,6 +200,11 @@ class Fenom
        "implode"     => 1
    );

+    /**
+     * @var string[] the disabled functions by `disable_functions` PHP's option
+     */
+    protected $_disabled_funcs;
+
    /**
     * @var array[] of compilers and functions
     */
@ -769,16 +774,38 @@ class Fenom
    }

    /**
-     * @param string $function
+     * Checks if is allowed PHP function for using in templates.
+     *
+     * @param string $function the function name
     * @return bool
     */
    public function isAllowedFunction($function)
    {
-        if ($this->_options & self::DENY_NATIVE_FUNCS) {
-            return isset($this->_allowed_funcs[$function]);
-        } else {
-            return is_callable($function);
+        $function = (string) $function;
+        $allow = ($this->_options & self::DENY_NATIVE_FUNCS)
+            ? isset($this->_allowed_funcs[$function])
+            : function_exists($function);
+        return $allow && !in_array($function, $this->getDisabledFuncs(), true);
+    }
+
+    /**
+     * Returns the disabled PHP functions.
+     *
+     * @return string[]
+     */
+    protected function _getDisabledFuncs()
+    {
+        if (!is_array($this->_disabled_funcs)) {
+            $disabled = ini_get('disable_functions');
+            // adds execution functions to disabled for security
+            $this->_disabled_funcs = array_merge(
+                empty($disabled) ? [] : explode(',', $disabled),
+                array('exec', 'system', 'passthru', 'shell_exec', 'pcntl_exec', 'proc_open', 'popen'),
+                array('call_user_func', 'call_user_func_array')
+            );
        }
+
+        return $this->_disabled_funcs;
    }

    /**
Author	SHA1	Message	Date
Ivan Shalganov	065ccaec23	Merge pull request #335 from WinterSilence/patch-2 Fix `Fenom::isAllowedFunction()`	2022-06-13 15:52:24 +03:00
Ivan Shalganov	6650668b72	Merge pull request #337 from WinterSilence/patch-3 Fix method name in `docs/ru/ext/extend.md`	2022-06-13 15:51:26 +03:00
Anton	b24d9d9e1e	Update extend.md	2022-06-12 12:10:23 +03:00
Anton	5e14c6bf90	Update Fenom.php	2022-06-12 11:46:43 +03:00
Anton	79283c6f7f	Fix `Fenom::isAllowedFunction()` - Checks if function in `ini_get('disable_functions')` - Replace `is_callable()` to `function_exists()` to ignore invokable classes	2022-06-12 10:44:00 +03:00