From d699a2db809e64ef729f93f5ec2f820b2913a0f7 Mon Sep 17 00:00:00 2001
From: osaajani <>
Date: Fri, 3 Apr 2020 21:22:13 +0200
Subject: [PATCH] Fix major security by overriding Symfony ExpressionLanguage
 default constant() method. The ExpressionLanguage is used by ruler for
 conditional group and could have been leverage to guess constants values such
 as db credentials

---
 controllers/internals/ExpressionProvider.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/controllers/internals/ExpressionProvider.php b/controllers/internals/ExpressionProvider.php
index 7c36bae..b02f070 100644
--- a/controllers/internals/ExpressionProvider.php
+++ b/controllers/internals/ExpressionProvider.php
@@ -18,7 +18,17 @@ class ExpressionProvider implements ExpressionFunctionProviderInterface
 {
     public function getFunctions()
     {
+        //Override default constant() function to make it return null
+        //This will prevent the use of constant() func to read constants with security impact (such as session, db credentials, etc.)
+        $neutralized_constant = new ExpressionFunction('constant', function ($str) {
+            return null;
+        }, function ($arguments, $str) {
+            return null;
+        });
+
+
         return [
+            $neutralized_constant,
             ExpressionFunction::fromPhp('is_null', 'exists'),
             ExpressionFunction::fromPhp('mb_strtolower', 'lower'),
             ExpressionFunction::fromPhp('mb_strtoupper', 'upper'),