fix possible vulnerability loading template parser

lib/WebGUI/Asset/Template.pm

@@ -21,6 +21,7 @@ use WebGUI::Asset::Template::HTMLTemplate;
 use WebGUI::Utility;
 use WebGUI::Form;
 use WebGUI::Exception;
+use List::MoreUtils qw{ any };
 use Tie::IxHash;
 use Clone qw/clone/;
 use HTML::Packer;
@@ -434,14 +435,23 @@ A parser class to use. Defaults to "WebGUI::Asset::Template::HTMLTemplate"
 sub getParser {
     my $class = shift;
     my $session = shift;
-    my $parser = shift || $session->config->get("defaultTemplateParser") || "WebGUI::Asset::Template::HTMLTemplate";
+    my $parser = shift;
 
-    if ($parser eq "") {
+    # If parser is not in the config, throw an error message
-        return WebGUI::Asset::Template::HTMLTemplate->new($session);
+    if ( $parser && $parser ne $session->config->get('defaultTemplateParser') 
-    } else {
+                && !any { $_ eq $parser } @{$session->config->get('templateParsers')} ) {
-        eval("use $parser");
+        WebGUI::Error::NotInConfig->throw(
-        return $parser->new($session);
+            error       => "Attempted to load template parser '$parser' that is not in config file",
+            module      => $parser,
+            configKey   => 'templateParsers',
+        );
     }
+    else {
+        $parser ||= $session->config->get("defaultTemplateParser") || "WebGUI::Asset::Template::HTMLTemplate";
+    }
+
+    WebGUI::Pluggable::load( $parser );
+    return $parser->new($session);
 }
 
 #-------------------------------------------------------------------

lib/WebGUI/Exception.pm

@@ -58,6 +58,11 @@ use Exception::Class (
         isa             => 'WebGUI::Error',
         description     => "A template has errors that prevent it from being processed.",
         },
+    'WebGUI::Error::NotInConfig' => {
+        isa             => 'WebGUI::Error',
+        description     => 'A module was requested that does not exist in the configuration file.',
+        fields          => [qw{ module configKey }],
+        },
 );
 
 sub WebGUI::Error::full_message {

t/Asset/Template.t

@@ -16,9 +16,10 @@ use WebGUI::Test;
 use WebGUI::Session;
 use WebGUI::Asset::Template;
 use Exception::Class;
-use Test::More tests => 48; # increment this value for each test you create
+use Test::More tests => 53; # increment this value for each test you create
 use Test::Deep;
 use Data::Dumper;
+use Test::Exception;
 use JSON qw{ from_json };
 
 my $session = WebGUI::Test->session;
@@ -215,3 +216,27 @@ is($session->setting->get('userFunctionStyleId'), $userStyleTemplate->getId, 'Re
 
 $userStyleTemplate->purge;
 is($session->setting->get('userFunctionStyleId'), 'PBtmpl0000000000000060', 'purge resets the user function style template to Fail Safe');
+
+#----------------------------------------------------------------------------
+# Verify getParser
+WebGUI::Test->originalConfig( 'defaultTemplateParser' );
+WebGUI::Test->originalConfig( 'templateParsers' );
+$session->config->set( 'templateParsers', [ 'WebGUI::Asset::Template::HTMLTemplateExpr' ] );
+# Leaving out 'WebGUI::Asset::Template::TemplateToolkit' on purpose
+$session->config->set( 'defaultTemplateParser', 'WebGUI::Asset::Template::HTMLTemplateExpr' );
+
+my $class = 'WebGUI::Asset::Template';
+dies_ok { $class->getParser( $session, '::HI::' ) } "Invalid parser dies";
+
+isa_ok $class->getParser( $session ), 'WebGUI::Asset::Template::HTMLTemplateExpr', 'no parser passed in gets the default parser';
+
+$session->config->delete( 'defaultTemplateParser' );
+isa_ok $class->getParser( $session ), 'WebGUI::Asset::Template::HTMLTemplate', 'no parser passed and no default gets HTMLTemplate';
+$session->config->set( 'defaultTemplateParser', 'WebGUI::Asset::Template::HTMLTemplateExpr' );
+
+throws_ok 
+    { $class->getParser( $session, 'WebGUI::Asset::Template::TemplateToolkit') } 
+    'WebGUI::Error::NotInConfig',
+    'Parser not in config dies';
+isa_ok $class->getParser( $session, 'WebGUI::Asset::Template::HTMLTemplateExpr'), 'WebGUI::Asset::Template::HTMLTemplateExpr', 'parser in config is created';
+