Do not expose $_SERVER in templates by default

This is important primarily because $_SERVER may contain sensitive data, like AWS access keys, which then can be accessed from user- provided templates. Fixes #114
kalimatas · Feb 11, 2019 · 365953e · 365953e
1 parent 107d483
commit 365953e
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 2 deletions.
diff --git a/src/Liquid/Context.php b/src/Liquid/Context.php
@@ -62,8 +62,13 @@ public function __construct(array $assigns = array(), array $registers = array()
 		$this->assigns = array($assigns);
 		$this->registers = $registers;
 		$this->filterbank = new Filterbank($this);
+
 		// first empty array serves as source for overrides, e.g. as in TagDecrement
-		$this->environments = array(array(), $_SERVER);
+		$this->environments = array(array(), array());
+
+		if (Liquid::get('EXPOSE_SERVER')) {
+			$this->environments[1] = $_SERVER;
+		}
 	}
 
 	/**

diff --git a/src/Liquid/Liquid.php b/src/Liquid/Liquid.php
@@ -77,7 +77,10 @@ class Liquid
 		'PAGINATION_REQUEST_KEY' => 'page',
 
 		// The name of the context key used to denote the current page number
-		'PAGINATION_CONTEXT_KEY' => 'page'
+		'PAGINATION_CONTEXT_KEY' => 'page',
+
+		// Whenever variables from $_SERVER should be directly available to templates
+		'EXPOSE_SERVER' => false,
 	);
 
 	/**

diff --git a/tests/Liquid/ContextTest.php b/tests/Liquid/ContextTest.php
@@ -392,4 +392,28 @@ public function testGetNoOverride()
 		$context->set('test', 'test');
 		$this->assertEquals('test', $context->get('test'));
 	}
+
+	public function testServerNotExposedByDefault()
+	{
+		$_SERVER['AWS_SECRET_ACCESS_KEY'] = 'super_secret';
+
+		$context = new Context();
+		$this->assertNull($context->get('AWS_SECRET_ACCESS_KEY'));
+
+		$context->set('AWS_SECRET_ACCESS_KEY', 'test');
+		$this->assertEquals('test', $context->get('AWS_SECRET_ACCESS_KEY'));
+	}
+
+	public function testServerExposedWhenRequested()
+	{
+		Liquid::set('EXPOSE_SERVER', true);
+
+		$_SERVER['AWS_SECRET_ACCESS_KEY'] = 'super_secret';
+
+		$context = new Context();
+		$this->assertEquals('super_secret', $context->get('AWS_SECRET_ACCESS_KEY'));
+
+		$context->set('AWS_SECRET_ACCESS_KEY', 'test');
+		$this->assertEquals('super_secret', $context->get('AWS_SECRET_ACCESS_KEY'), '$_SERVER should take precedence in this case');
+	}
 }
diff --git a/tests/Liquid/TestCase.php b/tests/Liquid/TestCase.php
@@ -37,6 +37,7 @@ protected function setUp()
 			'VARIABLE_START' => '{{',
 			'VARIABLE_END' => '}}',
 			'VARIABLE_NAME' => '[a-zA-Z_][a-zA-Z0-9_.-]*',
+			'EXPOSE_SERVER' => false,
 		);
 
 		foreach ($defaultConfig as $configKey => $configValue) {