Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix CVE-2022-0323 (improper neutralization of section names)
- Fixes possible RCE when rendering untrusted user templates.
- Remove unnecessary comments in generated source.
  • Loading branch information
bobthecow committed Jan 21, 2022
1 parent 0762097 commit 579ffa5
Showing 1 changed file with 2 additions and 4 deletions.
6 changes: 2 additions & 4 deletions src/Mustache/Compiler.php
Expand Up @@ -320,7 +320,6 @@ private function block($nodes)
}

const SECTION_CALL = '
// %s section
$value = $context->%s(%s);%s
$buffer .= $this->section%s($context, $indent, $value);
';
Expand Down Expand Up @@ -391,11 +390,10 @@ private function section($nodes, $id, $filters, $start, $end, $otag, $ctag, $lev
$id = var_export($id, true);
$filters = $this->getFilters($filters, $level);

return sprintf($this->prepare(self::SECTION_CALL, $level), $id, $method, $id, $filters, $key);
return sprintf($this->prepare(self::SECTION_CALL, $level), $method, $id, $filters, $key);
}

const INVERTED_SECTION = '
// %s inverted section
$value = $context->%s(%s);%s
if (empty($value)) {
%s
Expand All @@ -418,7 +416,7 @@ private function invertedSection($nodes, $id, $filters, $level)
$id = var_export($id, true);
$filters = $this->getFilters($filters, $level);

return sprintf($this->prepare(self::INVERTED_SECTION, $level), $id, $method, $id, $filters, $this->walk($nodes, $level));
return sprintf($this->prepare(self::INVERTED_SECTION, $level), $method, $id, $filters, $this->walk($nodes, $level));
}

const PARTIAL_INDENT = ', $indent . %s';
Expand Down

0 comments on commit 579ffa5

Please sign in to comment.