smarty/libs/sysplugins/smarty_security.php

<?php
/**
 * Smarty plugin
 * 
 * @package Smarty
 * @subpackage Security
 * @author Uwe Tews 
 */ 

/**
 * This class does contain the security settings
 */
class Smarty_Security {
    /**
     * This determines how Smarty handles "<?php ... ?>" tags in templates.
     * possible values:
     * <ul>
     *   <li>Smarty::PHP_PASSTHRU -> echo PHP tags as they are</li>
     *   <li>Smarty::PHP_QUOTE    -> escape tags as entities</li>
     *   <li>Smarty::PHP_REMOVE   -> remove php tags</li>
     *   <li>Smarty::PHP_ALLOW    -> execute php tags</li>
     * </ul>
     * 
     * @var integer 
     */
    public $php_handling = Smarty::PHP_PASSTHRU;

    /**
     * This is the list of template directories that are considered secure.
     * $template_dir is in this list implicitly.
     * 
     * @var array 
     */
    public $secure_dir = array();


    /**
     * This is an array of directories where trusted php scripts reside.
     * {@link $security} is disabled during their inclusion/execution.
     * 
     * @var array 
     */
    public $trusted_dir = array();


    /**
     * This is an array of trusted static classes.
     *
     * If empty access to all static classes is allowed.
     * If set to 'none' none is allowed.
     * @var array 
     */
    public $static_classes = array();

    /**
     * This is an array of trusted PHP functions.
     *
     * If empty all functions are allowed.
     * To disable all PHP functions set $php_functions = null.
     * @var array 
     */
    public $php_functions = array('isset', 'empty',
            'count', 'sizeof','in_array', 'is_array','time','nl2br');

    /**
     * This is an array of trusted PHP modifers.
     *
     * If empty all modifiers are allowed.
     * To disable all modifier set $modifiers = null.
     * @var array 
     */
    public $php_modifiers = array('escape','count');

    /**
     * This is an array of trusted streams.
     *
     * If empty all streams are allowed.
     * To disable all streams set $streams = null.
     * @var array 
     */
    public $streams = array('file');
    /**
     * + flag if constants can be accessed from template
     */
    public $allow_constants = true;
    /**
     * + flag if super globals can be accessed from template
     */
    public $allow_super_globals = true;
    /**
     * + flag if the {php} and {include_php} tag can be executed
     */
    public $allow_php_tag = false;

    public function __construct($smarty)
    {
        $this->smarty = $smarty; 
	}
    /**
     * Check if PHP function is trusted.
     * 
     * @param string $function_name 
     * @param object $compiler compiler object
     * @return boolean true if function is trusted
     */
    function isTrustedPhpFunction($function_name, $compiler)
    {
        if (isset($this->php_functions) && (empty($this->php_functions) || in_array($function_name, $this->php_functions))) {
            return true;
        } else {
            $compiler->trigger_template_error ("PHP function '{$function_name}' not allowed by security setting");
            return false;
        } 
    } 

    /**
     * Check if static class is trusted.
     * 
     * @param string $class_name 
     * @param object $compiler compiler object
     * @return boolean true if class is trusted
     */
    function isTrustedStaticClass($class_name, $compiler)
    {
        if (isset($this->static_classes) && (empty($this->static_classes) || in_array($class_name, $this->static_classes))) {
            return true;
        } else {
            $compiler->trigger_template_error ("access to static class '{$class_name}' not allowed by security setting");
            return false;
        } 
    } 
    /**
     * Check if modifier is trusted.
     * 
     * @param string $modifier_name 
     * @param object $compiler compiler object
     * @return boolean true if modifier is trusted
     */
    function isTrustedModifier($modifier_name, $compiler)
    {
        if (isset($this->php_modifiers) && (empty($this->php_modifiers) || in_array($modifier_name, $this->php_modifiers))) {
            return true;
        } else {
            $compiler->trigger_template_error ("modifier '{$modifier_name}' not allowed by security setting");
            return false;
        } 
    } 
    /**
     * Check if stream is trusted.
     * 
     * @param string $stream_name 
     * @param object $compiler compiler object
     * @return boolean true if stream is trusted
     */
    function isTrustedStream($stream_name)
    {
        if (isset($this->streams) && (empty($this->streams) || in_array($stream_name, $this->streams))) {
            return true;
        } else {
            throw new SmartyException ("stream '{$stream_name}' not allowed by security setting");
            return false;
        } 
    } 

    /**
     * Check if directory of file resource is trusted.
     * 
     * @param string $filepath 
     * @param object $compiler compiler object
     * @return boolean true if directory is trusted
     */
    function isTrustedResourceDir($filepath)
    {
        $_rp = realpath($filepath);
        if (isset($this->smarty->template_dir)) {
            foreach ((array)$this->smarty->template_dir as $curr_dir) {
                if (($_cd = realpath($curr_dir)) !== false &&
                        strncmp($_rp, $_cd, strlen($_cd)) == 0 &&
                        (strlen($_rp) == strlen($_cd) || substr($_rp, strlen($_cd), 1) == DS)) {
                    return true;
                } 
            } 
        } 
        if (!empty($this->smarty->security_policy->secure_dir)) {
            foreach ((array)$this->smarty->security_policy->secure_dir as $curr_dir) {
                if (($_cd = realpath($curr_dir)) !== false) {
                    if ($_cd == $_rp) {
                        return true;
                    } elseif (strncmp($_rp, $_cd, strlen($_cd)) == 0 &&
                            (strlen($_rp) == strlen($_cd) || substr($_rp, strlen($_cd), 1) == DS)) {
                        return true;
                    } 
                } 
            } 
        } 

        throw new SmartyException ("directory '{$_rp}' not allowed by security setting");
        return false;
    } 
    
    /**
     * Check if directory of file resource is trusted.
     * 
     * @param string $filepath 
     * @param object $compiler compiler object
     * @return boolean true if directory is trusted
     */
    function isTrustedPHPDir($filepath)
    {
        $_rp = realpath($filepath);
        if (!empty($this->trusted_dir)) {
            foreach ((array)$this->trusted_dir as $curr_dir) {
                if (($_cd = realpath($curr_dir)) !== false) {
                    if ($_cd == $_rp) {
                        return true;
                    } elseif (strncmp($_rp, $_cd, strlen($_cd)) == 0 &&
                            substr($_rp, strlen($_cd), 1) == DS) {
                        return true;
                    } 
                } 
            } 
        } 

        throw new SmartyException ("directory '{$_rp}' not allowed by security setting");
        return false;
    } 
} 

?>
change linefeed style to native on all files 2009-11-06 14:35:00 +00:00			`<?php`
			`/**`
fix formatting 2010-08-17 15:39:51 +00:00			`* Smarty plugin`
			`*`
			`* @package Smarty`
			`* @subpackage Security`
			`* @author Uwe Tews`
			`*/`
change linefeed style to native on all files 2009-11-06 14:35:00 +00:00
			`/**`
fix formatting 2010-08-17 15:39:51 +00:00			`* This class does contain the security settings`
			`*/`
change linefeed style to native on all files 2009-11-06 14:35:00 +00:00			`class Smarty_Security {`
			`/**`
fix formatting 2010-08-17 15:39:51 +00:00			`* This determines how Smarty handles "<?php ... ?>" tags in templates.`
			`* possible values:`
			`* <ul>`
- major update including some API changes 2010-11-11 21:34:36 +00:00			`* <li>Smarty::PHP_PASSTHRU -> echo PHP tags as they are</li>`
			`* <li>Smarty::PHP_QUOTE -> escape tags as entities</li>`
			`* <li>Smarty::PHP_REMOVE -> remove php tags</li>`
			`* <li>Smarty::PHP_ALLOW -> execute php tags</li>`
fix formatting 2010-08-17 15:39:51 +00:00			`* </ul>`
			`*`
			`* @var integer`
			`*/`
- major update including some API changes 2010-11-11 21:34:36 +00:00			`public $php_handling = Smarty::PHP_PASSTHRU;`
change linefeed style to native on all files 2009-11-06 14:35:00 +00:00
			`/**`
fix formatting 2010-08-17 15:39:51 +00:00			`* This is the list of template directories that are considered secure.`
			`* $template_dir is in this list implicitly.`
			`*`
			`* @var array`
			`*/`
change linefeed style to native on all files 2009-11-06 14:35:00 +00:00			`public $secure_dir = array();`


			`/**`
fix formatting 2010-08-17 15:39:51 +00:00			`* This is an array of directories where trusted php scripts reside.`
			`* {@link $security} is disabled during their inclusion/execution.`
			`*`
			`* @var array`
			`*/`
change linefeed style to native on all files 2009-11-06 14:35:00 +00:00			`public $trusted_dir = array();`


- bugfix on expressions in doublequoted string enclosed in backticks - added security property $static_classes for static class security 2010-02-24 18:01:03 +00:00			`/**`
fix formatting 2010-08-17 15:39:51 +00:00			`* This is an array of trusted static classes.`
			`*`
			`* If empty access to all static classes is allowed.`
			`* If set to 'none' none is allowed.`
			`* @var array`
			`*/`
- bugfix on expressions in doublequoted string enclosed in backticks - added security property $static_classes for static class security 2010-02-24 18:01:03 +00:00			`public $static_classes = array();`

change linefeed style to native on all files 2009-11-06 14:35:00 +00:00			`/**`
fix formatting 2010-08-17 15:39:51 +00:00			`* This is an array of trusted PHP functions.`
			`*`
			`* If empty all functions are allowed.`
- major update including some API changes 2010-11-11 21:34:36 +00:00			`* To disable all PHP functions set $php_functions = null.`
fix formatting 2010-08-17 15:39:51 +00:00			`* @var array`
			`*/`
change linefeed style to native on all files 2009-11-06 14:35:00 +00:00			`public $php_functions = array('isset', 'empty',`
			`'count', 'sizeof','in_array', 'is_array','time','nl2br');`

			`/**`
- major update including some API changes 2010-11-11 21:34:36 +00:00			`* This is an array of trusted PHP modifers.`
fix formatting 2010-08-17 15:39:51 +00:00			`*`
			`* If empty all modifiers are allowed.`
- major update including some API changes 2010-11-11 21:34:36 +00:00			`* To disable all modifier set $modifiers = null.`
fix formatting 2010-08-17 15:39:51 +00:00			`* @var array`
			`*/`
- major update including some API changes 2010-11-11 21:34:36 +00:00			`public $php_modifiers = array('escape','count');`
change linefeed style to native on all files 2009-11-06 14:35:00 +00:00
			`/**`
fix formatting 2010-08-17 15:39:51 +00:00			`* This is an array of trusted streams.`
			`*`
			`* If empty all streams are allowed.`
- major update including some API changes 2010-11-11 21:34:36 +00:00			`* To disable all streams set $streams = null.`
fix formatting 2010-08-17 15:39:51 +00:00			`* @var array`
			`*/`
change linefeed style to native on all files 2009-11-06 14:35:00 +00:00			`public $streams = array('file');`
			`/**`
fix formatting 2010-08-17 15:39:51 +00:00			`* + flag if constants can be accessed from template`
			`*/`
change linefeed style to native on all files 2009-11-06 14:35:00 +00:00			`public $allow_constants = true;`
			`/**`
fix formatting 2010-08-17 15:39:51 +00:00			`* + flag if super globals can be accessed from template`
			`*/`
- added max attribute to for loop - added security mode allow_super_globals 2009-12-04 15:44:47 +00:00			`public $allow_super_globals = true;`
			`/**`
- major update including some API changes 2010-11-11 21:34:36 +00:00			`* + flag if the {php} and {include_php} tag can be executed`
fix formatting 2010-08-17 15:39:51 +00:00			`*/`
change linefeed style to native on all files 2009-11-06 14:35:00 +00:00			`public $allow_php_tag = false;`
- major update including some API changes 2010-11-11 21:34:36 +00:00
			`public function __construct($smarty)`
			`{`
			`$this->smarty = $smarty;`
			`}`
			`/**`
			`* Check if PHP function is trusted.`
			`*`
			`* @param string $function_name`
			`* @param object $compiler compiler object`
			`* @return boolean true if function is trusted`
			`*/`
			`function isTrustedPhpFunction($function_name, $compiler)`
			`{`
			`if (isset($this->php_functions) && (empty($this->php_functions) \|\| in_array($function_name, $this->php_functions))) {`
			`return true;`
			`} else {`
			`$compiler->trigger_template_error ("PHP function '{$function_name}' not allowed by security setting");`
			`return false;`
			`}`
			`}`

			`/**`
			`* Check if static class is trusted.`
			`*`
			`* @param string $class_name`
			`* @param object $compiler compiler object`
			`* @return boolean true if class is trusted`
			`*/`
			`function isTrustedStaticClass($class_name, $compiler)`
			`{`
			`if (isset($this->static_classes) && (empty($this->static_classes) \|\| in_array($class_name, $this->static_classes))) {`
			`return true;`
			`} else {`
			`$compiler->trigger_template_error ("access to static class '{$class_name}' not allowed by security setting");`
			`return false;`
			`}`
			`}`
			`/**`
			`* Check if modifier is trusted.`
			`*`
			`* @param string $modifier_name`
			`* @param object $compiler compiler object`
			`* @return boolean true if modifier is trusted`
			`*/`
			`function isTrustedModifier($modifier_name, $compiler)`
			`{`
			`if (isset($this->php_modifiers) && (empty($this->php_modifiers) \|\| in_array($modifier_name, $this->php_modifiers))) {`
			`return true;`
			`} else {`
			`$compiler->trigger_template_error ("modifier '{$modifier_name}' not allowed by security setting");`
			`return false;`
			`}`
			`}`
			`/**`
			`* Check if stream is trusted.`
			`*`
			`* @param string $stream_name`
			`* @param object $compiler compiler object`
			`* @return boolean true if stream is trusted`
			`*/`
			`function isTrustedStream($stream_name)`
			`{`
			`if (isset($this->streams) && (empty($this->streams) \|\| in_array($stream_name, $this->streams))) {`
			`return true;`
			`} else {`
			`throw new SmartyException ("stream '{$stream_name}' not allowed by security setting");`
			`return false;`
			`}`
			`}`

			`/**`
			`* Check if directory of file resource is trusted.`
			`*`
			`* @param string $filepath`
			`* @param object $compiler compiler object`
			`* @return boolean true if directory is trusted`
			`*/`
			`function isTrustedResourceDir($filepath)`
			`{`
			`$_rp = realpath($filepath);`
			`if (isset($this->smarty->template_dir)) {`
			`foreach ((array)$this->smarty->template_dir as $curr_dir) {`
			`if (($_cd = realpath($curr_dir)) !== false &&`
			`strncmp($_rp, $_cd, strlen($_cd)) == 0 &&`
			`(strlen($_rp) == strlen($_cd) \|\| substr($_rp, strlen($_cd), 1) == DS)) {`
			`return true;`
			`}`
			`}`
			`}`
			`if (!empty($this->smarty->security_policy->secure_dir)) {`
			`foreach ((array)$this->smarty->security_policy->secure_dir as $curr_dir) {`
			`if (($_cd = realpath($curr_dir)) !== false) {`
			`if ($_cd == $_rp) {`
			`return true;`
			`} elseif (strncmp($_rp, $_cd, strlen($_cd)) == 0 &&`
			`(strlen($_rp) == strlen($_cd) \|\| substr($_rp, strlen($_cd), 1) == DS)) {`
			`return true;`
			`}`
			`}`
			`}`
			`}`

			`throw new SmartyException ("directory '{$_rp}' not allowed by security setting");`
			`return false;`
			`}`

			`/**`
			`* Check if directory of file resource is trusted.`
			`*`
			`* @param string $filepath`
			`* @param object $compiler compiler object`
			`* @return boolean true if directory is trusted`
			`*/`
			`function isTrustedPHPDir($filepath)`
			`{`
			`$_rp = realpath($filepath);`
			`if (!empty($this->trusted_dir)) {`
			`foreach ((array)$this->trusted_dir as $curr_dir) {`
			`if (($_cd = realpath($curr_dir)) !== false) {`
			`if ($_cd == $_rp) {`
			`return true;`
			`} elseif (strncmp($_rp, $_cd, strlen($_cd)) == 0 &&`
			`substr($_rp, strlen($_cd), 1) == DS) {`
			`return true;`
			`}`
			`}`
			`}`
			`}`

			`throw new SmartyException ("directory '{$_rp}' not allowed by security setting");`
			`return false;`
			`}`
change linefeed style to native on all files 2009-11-06 14:35:00 +00:00			`}`

- bugfix on expressions in doublequoted string enclosed in backticks - added security property $static_classes for static class security 2010-02-24 18:01:03 +00:00			`?>`