PhpWriter: complex expression in strings prohibited in sandbox mode

dg · dg · commit 3f8fbc4051e6 · 2022-01-04T02:05:49.000+01:00
diff --git a/src/Latte/Compiler/PhpWriter.php b/src/Latte/Compiler/PhpWriter.php
@@ -226,6 +226,13 @@ public function validateTokens(MacroTokens $tokens): void
 			} elseif ($tokens->isCurrent('`')) {
 				throw new CompileException('Backtick operator is forbidden in Latte.');
 
+			} elseif (
+				$tokens->isCurrent($tokens::T_STRING)
+				&& $tokenValue[0] === '"'
+				&& (strpos($tokenValue, '{$') !== false || strpos($tokenValue, '${') !== false)
+			) {
+				throw new CompileException('Forbidden complex expressions in strings.');
+
 			} elseif (
 				Helpers::startsWith($tokenValue, '$ʟ_')
 				|| ($this->policy && $tokens->isCurrent('$this'))
diff --git a/tests/Latte/Policy.violations.phpt b/tests/Latte/Policy.violations.phpt
@@ -128,3 +128,15 @@ Assert::exception(function () use ($latte) {
 Assert::exception(function () use ($latte) {
 	$latte->compile('{do new stdClass}');
 }, Latte\CompileException::class, "Forbidden keyword 'new' inside tag.");
+
+Assert::exception(function () use ($latte) {
+	$latte->compile('{="{$var}"}');
+}, Latte\CompileException::class, 'Forbidden complex expressions in strings.');
+
+Assert::exception(function () use ($latte) {
+	$latte->compile('{="${var}"}');
+}, Latte\CompileException::class, 'Forbidden complex expressions in strings.');
+
+Assert::noError(function () use ($latte) {
+	$latte->compile('{=\'${var}\'}');
+});
