Merge branch '1.x' into 2.x

* 1.x:
  Fix "include(template_from_string())"
  Fix PHPUnit config

CHANGELOG

@@ -330,7 +330,7 @@
 
 # 1.44.1 (2020-XX-XX)
 
- * n/a
+ * Fix "include(template_from_string())"
 
 # 1.44.0 (2020-10-21)
 

phpunit.xml.dist

@@ -12,9 +12,4 @@
   <listeners>
     <listener class="Symfony\Bridge\PhpUnit\SymfonyTestsListener" />
   </listeners>
-  <coverage>
-    <include>
-      <directory suffix=".php">./src/</directory>
-    </include>
-  </coverage>
 </phpunit>

src/Extension/CoreExtension.php

@@ -1209,11 +1209,13 @@ function twig_include(Environment $env, $context, $template, $variables = [], $w
         if (!$alreadySandboxed = $sandbox->isSandboxed()) {
             $sandbox->enableSandbox();
         }
-    }
 
-    // if a Template instance is passed, it might have been instantiated outside of a sandbox, check security
-    if ($template instanceof TemplateWrapper || $template instanceof Template) {
-        $template->unwrap()->checkSecurity();
+        foreach ((\is_array($template) ? $template : [$template]) as $name) {
+            // if a Template instance is passed, it might have been instantiated outside of a sandbox, check security
+            if ($name instanceof TemplateWrapper || $name instanceof Template) {
+                $name->unwrap()->checkSecurity();
+            }
+        }
     }
 
     try {

tests/Extension/SandboxTest.php

@@ -51,7 +51,8 @@ protected function setUp(): void
             '1_layout' => '{% block content %}{% endblock %}',
             '1_child' => "{% extends \"1_layout\" %}\n{% block content %}\n{{ \"a\"|json_encode }}\n{% endblock %}",
             '1_include' => '{{ include("1_basic1", sandboxed=true) }}',
-            '1_basic2_include_template_from_string' => '{{ include(template_from_string("{{ name|upper }}"), sandboxed=true) }}',
+            '1_basic2_include_template_from_string_sandboxed' => '{{ include(template_from_string("{{ name|upper }}"), sandboxed=true) }}',
+            '1_basic2_include_template_from_string' => '{{ include(template_from_string("{{ name|upper }}")) }}',
             '1_range_operator' => '{{ (1..2)[0] }}',
             '1_syntax_error_wrapper' => '{% sandbox %}{% include "1_syntax_error" %}{% endsandbox %}',
             '1_syntax_error' => '{% syntax error }}',
@@ -98,10 +99,43 @@ public function testIfSandBoxIsDisabledAfterSyntaxError()
         }
     }
 
-    public function testSandboxUnallowedFilterWithIncludeTemplateFromString()
+    public function testSandboxGloballyFalseUnallowedFilterWithIncludeTemplateFromStringSandboxed()
     {
         $twig = $this->getEnvironment(false, [], self::$templates);
         $twig->addExtension(new StringLoaderExtension());
+        try {
+            $twig->load('1_basic2_include_template_from_string_sandboxed')->render(self::$params);
+            $this->fail('Sandbox throws a SecurityError exception if an unallowed filter is called');
+        } catch (SecurityError $e) {
+            $this->assertInstanceOf('\Twig\Sandbox\SecurityNotAllowedFilterError', $e, 'Exception should be an instance of Twig_Sandbox_SecurityNotAllowedFilterError');
+            $this->assertEquals('upper', $e->getFilterName(), 'Exception should be raised on the "upper" filter');
+        }
+    }
+
+    public function testSandboxGloballyTrueUnallowedFilterWithIncludeTemplateFromStringSandboxed()
+    {
+        $twig = $this->getEnvironment(true, [], self::$templates, [], [], [], [], ['include', 'template_from_string']);
+        $twig->addExtension(new StringLoaderExtension());
+        try {
+            $twig->load('1_basic2_include_template_from_string_sandboxed')->render(self::$params);
+            $this->fail('Sandbox throws a SecurityError exception if an unallowed filter is called');
+        } catch (SecurityError $e) {
+            $this->assertInstanceOf('\Twig\Sandbox\SecurityNotAllowedFilterError', $e, 'Exception should be an instance of Twig_Sandbox_SecurityNotAllowedFilterError');
+            $this->assertEquals('upper', $e->getFilterName(), 'Exception should be raised on the "upper" filter');
+        }
+    }
+
+    public function testSandboxGloballyFalseUnallowedFilterWithIncludeTemplateFromStringNotSandboxed()
+    {
+        $twig = $this->getEnvironment(false, [], self::$templates);
+        $twig->addExtension(new StringLoaderExtension());
+        $this->assertSame('FABIEN', $twig->load('1_basic2_include_template_from_string')->render(self::$params));
+    }
+
+    public function testSandboxGloballyTrueUnallowedFilterWithIncludeTemplateFromStringNotSandboxed()
+    {
+        $twig = $this->getEnvironment(true, [], self::$templates, [], [], [], [], ['include', 'template_from_string']);
+        $twig->addExtension(new StringLoaderExtension());
         try {
             $twig->load('1_basic2_include_template_from_string')->render(self::$params);
             $this->fail('Sandbox throws a SecurityError exception if an unallowed filter is called');

tests/Extension/StringLoaderExtensionTest.php

@@ -0,0 +1,26 @@
+<?php
+
+/*
+ * This file is part of Twig.
+ *
+ * (c) Fabien Potencier
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Twig\Tests\Extension;
+
+use Twig\Environment;
+use PHPUnit\Framework\TestCase;
+use Twig\Extension\StringLoaderExtension;
+
+class StringLoaderExtensionTest extends TestCase
+{
+    public function testIncludeWithTemplateStringAndNoSandbox()
+    {
+        $twig = new Environment($this->createMock('\Twig\Loader\LoaderInterface'));
+        $twig->addExtension(new StringLoaderExtension());
+        $this->assertSame('something', twig_include($twig, [], twig_template_from_string($twig, "something")));
+    }
+}