From 4e9a2c07c2e77aa52dcff5e2df16cc8d85271b95 Mon Sep 17 00:00:00 2001
From: Doug Bell <doug@plainblack.com>
Date: Wed, 11 Aug 2010 15:37:04 -0500
Subject: [PATCH] fix possible vulnerability loading template parser

---
 lib/WebGUI/Asset/Template.pm | 22 ++++++++++++++++------
 lib/WebGUI/Exception.pm      |  5 +++++
 t/Asset/Template.t           | 27 ++++++++++++++++++++++++++-
 3 files changed, 47 insertions(+), 7 deletions(-)

diff --git a/lib/WebGUI/Asset/Template.pm b/lib/WebGUI/Asset/Template.pm
index 9f8d14aa2..dbc71a97b 100644
--- a/lib/WebGUI/Asset/Template.pm
+++ b/lib/WebGUI/Asset/Template.pm
@@ -21,6 +21,7 @@ use WebGUI::Asset::Template::HTMLTemplate;
 use WebGUI::Utility;
 use WebGUI::Form;
 use WebGUI::Exception;
+use List::MoreUtils qw{ any };
 use Tie::IxHash;
 use Clone qw/clone/;
 use HTML::Packer;
@@ -434,14 +435,23 @@ A parser class to use. Defaults to "WebGUI::Asset::Template::HTMLTemplate"
 sub getParser {
     my $class = shift;
     my $session = shift;
-    my $parser = shift || $session->config->get("defaultTemplateParser") || "WebGUI::Asset::Template::HTMLTemplate";
+    my $parser = shift;
 
-    if ($parser eq "") {
-        return WebGUI::Asset::Template::HTMLTemplate->new($session);
-    } else {
-        eval("use $parser");
-        return $parser->new($session);
+    # If parser is not in the config, throw an error message
+    if ( $parser && $parser ne $session->config->get('defaultTemplateParser') 
+                && !any { $_ eq $parser } @{$session->config->get('templateParsers')} ) {
+        WebGUI::Error::NotInConfig->throw(
+            error       => "Attempted to load template parser '$parser' that is not in config file",
+            module      => $parser,
+            configKey   => 'templateParsers',
+        );
     }
+    else {
+        $parser ||= $session->config->get("defaultTemplateParser") || "WebGUI::Asset::Template::HTMLTemplate";
+    }
+
+    WebGUI::Pluggable::load( $parser );
+    return $parser->new($session);
 }
 
 #-------------------------------------------------------------------
diff --git a/lib/WebGUI/Exception.pm b/lib/WebGUI/Exception.pm
index 54bef4c91..e3e65f4df 100644
--- a/lib/WebGUI/Exception.pm
+++ b/lib/WebGUI/Exception.pm
@@ -58,6 +58,11 @@ use Exception::Class (
         isa             => 'WebGUI::Error',
         description     => "A template has errors that prevent it from being processed.",
         },
+    'WebGUI::Error::NotInConfig' => {
+        isa             => 'WebGUI::Error',
+        description     => 'A module was requested that does not exist in the configuration file.',
+        fields          => [qw{ module configKey }],
+        },
 );
 
 sub WebGUI::Error::full_message {
diff --git a/t/Asset/Template.t b/t/Asset/Template.t
index fa5b76d1d..c15281609 100644
--- a/t/Asset/Template.t
+++ b/t/Asset/Template.t
@@ -16,9 +16,10 @@ use WebGUI::Test;
 use WebGUI::Session;
 use WebGUI::Asset::Template;
 use Exception::Class;
-use Test::More tests => 48; # increment this value for each test you create
+use Test::More tests => 53; # increment this value for each test you create
 use Test::Deep;
 use Data::Dumper;
+use Test::Exception;
 use JSON qw{ from_json };
 
 my $session = WebGUI::Test->session;
@@ -215,3 +216,27 @@ is($session->setting->get('userFunctionStyleId'), $userStyleTemplate->getId, 'Re
 
 $userStyleTemplate->purge;
 is($session->setting->get('userFunctionStyleId'), 'PBtmpl0000000000000060', 'purge resets the user function style template to Fail Safe');
+
+#----------------------------------------------------------------------------
+# Verify getParser
+WebGUI::Test->originalConfig( 'defaultTemplateParser' );
+WebGUI::Test->originalConfig( 'templateParsers' );
+$session->config->set( 'templateParsers', [ 'WebGUI::Asset::Template::HTMLTemplateExpr' ] );
+# Leaving out 'WebGUI::Asset::Template::TemplateToolkit' on purpose
+$session->config->set( 'defaultTemplateParser', 'WebGUI::Asset::Template::HTMLTemplateExpr' );
+
+my $class = 'WebGUI::Asset::Template';
+dies_ok { $class->getParser( $session, '::HI::' ) } "Invalid parser dies";
+
+isa_ok $class->getParser( $session ), 'WebGUI::Asset::Template::HTMLTemplateExpr', 'no parser passed in gets the default parser';
+
+$session->config->delete( 'defaultTemplateParser' );
+isa_ok $class->getParser( $session ), 'WebGUI::Asset::Template::HTMLTemplate', 'no parser passed and no default gets HTMLTemplate';
+$session->config->set( 'defaultTemplateParser', 'WebGUI::Asset::Template::HTMLTemplateExpr' );
+
+throws_ok 
+    { $class->getParser( $session, 'WebGUI::Asset::Template::TemplateToolkit') } 
+    'WebGUI::Error::NotInConfig',
+    'Parser not in config dies';
+isa_ok $class->getParser( $session, 'WebGUI::Asset::Template::HTMLTemplateExpr'), 'WebGUI::Asset::Template::HTMLTemplateExpr', 'parser in config is created';
+