From: Alexander Ebert <ebert@woltlab.com>
Date: Sun, 8 Aug 2021 09:29:26 +0000 (+0200)
Subject: Sandbox `foreachVars` in templates
X-Git-Tag: 5.3.14~2
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=99c6a1a1debdc0779eb743c609b4d81a29046b92;p=GitHub%2FWoltLab%2FWCF.git

Sandbox `foreachVars` in templates

Nesting the same template inside a `foreach` loop that is also accessed inside the nested call will overwrite the values from the outer template due to identical identifiers being used.

The sandbox did not protected `$this->foreachVars` despite being stateful.

See #4431
Fixes #4444
---

diff --git a/wcfsetup/install/files/lib/system/template/TemplateEngine.class.php b/wcfsetup/install/files/lib/system/template/TemplateEngine.class.php
index c72d8e2fec..998ef3e147 100755
--- a/wcfsetup/install/files/lib/system/template/TemplateEngine.class.php
+++ b/wcfsetup/install/files/lib/system/template/TemplateEngine.class.php
@@ -521,8 +521,11 @@ class TemplateEngine extends SingletonFactory {
 	 * Enables execution in sandbox.
 	 */
 	public function enableSandbox() {
-		$index = count($this->sandboxVars);
-		$this->sandboxVars[$index] = $this->v;
+		$index = \count($this->sandboxVars);
+        $this->sandboxVars[$index] = [
+            'foreachVars' => $this->foreachVars,
+            'v' => $this->v,
+        ];
 	}
 	
 	/**
@@ -532,8 +535,10 @@ class TemplateEngine extends SingletonFactory {
 		if (empty($this->sandboxVars)) {
 			throw new SystemException('TemplateEngine is currently not running in a sandbox.');
 		}
-		
-		$this->v = array_pop($this->sandboxVars);
+
+        $values = \array_pop($this->sandboxVars);
+        $this->foreachVars = $values['foreachVars'];
+        $this->v = $values['v'];
 	}
 	
 	/**