merged branch Seldaek/esi_escape (PR #3185)

Commits
-------

7f96c8a [HttpKernel] Prevent php script execution in cached ESI pages using HttpCache

Discussion
----------

[HttpKernel] Escape php tags to avoid eval() injection in HttpCache

src/Symfony/Component/HttpKernel/HttpCache/Esi.php

@@ -154,6 +154,7 @@ class Esi
 
         // we don't use a proper XML parser here as we can have ESI tags in a plain text response
         $content = $response->getContent();
+        $content = str_replace(array('<?', '<%'), array('<?php echo "<?"; ?>', '<?php echo "<%"; ?>'), $content);
         $content = preg_replace_callback('#<esi\:include\s+(.*?)\s*/>#', array($this, 'handleEsiIncludeTag'), $content);
         $content = preg_replace('#<esi\:comment[^>]*/>#', '', $content);
         $content = preg_replace('#<esi\:remove>.*?</esi\:remove>#', '', $content);

tests/Symfony/Tests/Component/HttpKernel/HttpCache/EsiTest.php

@@ -109,6 +109,17 @@ class EsiTest extends \PHPUnit_Framework_TestCase
         $this->assertEquals('foo <?php echo $this->esi->handle($this, \'...\', \'\', false) ?>'."\n", $response->getContent());
     }
 
+    public function testProcessEscapesPhpTags()
+    {
+        $esi = new Esi();
+
+        $request = Request::create('/');
+        $response = new Response('foo <?php die("foo"); ?><%= "lala" %>');
+        $esi->process($request, $response);
+
+        $this->assertEquals('foo <?php echo "<?"; ?>php die("foo"); ?><?php echo "<%"; ?>= "lala" %>', $response->getContent());
+    }
+
     /**
      * @expectedException RuntimeException
      */