From 939a25854849ff2148a5bf72a621fd75029f7006 Mon Sep 17 00:00:00 2001
From: Alexander Ebert <ebert@woltlab.com>
Date: Sun, 8 Aug 2021 11:29:26 +0200
Subject: [PATCH] Sandbox `foreachVars` in templates

Nesting the same template inside a `foreach` loop that is also accessed inside the nested call will overwrite the values from the outer template due to identical identifiers being used.

The sandbox did not protected `$this->foreachVars` despite being stateful.

See #4431
Fixes #4444
---
 .../files/lib/system/template/TemplateEngine.class.php   | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/wcfsetup/install/files/lib/system/template/TemplateEngine.class.php b/wcfsetup/install/files/lib/system/template/TemplateEngine.class.php
index cbf84b0537..6521671e9c 100755
--- a/wcfsetup/install/files/lib/system/template/TemplateEngine.class.php
+++ b/wcfsetup/install/files/lib/system/template/TemplateEngine.class.php
@@ -543,7 +543,10 @@ class TemplateEngine extends SingletonFactory
     public function enableSandbox()
     {
         $index = \count($this->sandboxVars);
-        $this->sandboxVars[$index] = $this->v;
+        $this->sandboxVars[$index] = [
+            'foreachVars' => $this->foreachVars,
+            'v' => $this->v,
+        ];
     }
 
     /**
@@ -555,7 +558,9 @@ class TemplateEngine extends SingletonFactory
             throw new SystemException('TemplateEngine is currently not running in a sandbox.');
         }
 
-        $this->v = \array_pop($this->sandboxVars);
+        $values = \array_pop($this->sandboxVars);
+        $this->foreachVars = $values['foreachVars'];
+        $this->v = $values['v'];
     }
 
     /**
-- 
2.20.1