2021-12-03 11:59:22 +01:00
|
|
|
Security {#advanced.features.security}
|
|
|
|
|
========
|
|
|
|
|
|
|
|
|
|
Security is good for situations when you have untrusted parties editing
|
2022-10-22 22:08:38 +02:00
|
|
|
the templates e.g. via ftp, and you want to reduce the risk of system
|
2021-12-03 11:59:22 +01:00
|
|
|
security compromises through the template language.
|
|
|
|
|
|
|
|
|
|
The settings of the security policy are defined by properties of an
|
|
|
|
|
instance of the Smarty\_Security class. These are the possible settings:
|
|
|
|
|
|
|
|
|
|
- `$secure_dir` is an array of template directories that are
|
|
|
|
|
considered secure. [`$template_dir`](#variable.template.dir)
|
2022-10-22 22:08:38 +02:00
|
|
|
considered secure implicitly. The default is an empty array.
|
2021-12-03 11:59:22 +01:00
|
|
|
|
|
|
|
|
- `$trusted_dir` is an array of all directories that are considered
|
|
|
|
|
trusted. Trusted directories are where you keep php scripts that are
|
|
|
|
|
executed directly from the templates with
|
2022-09-27 12:21:01 +02:00
|
|
|
[`{insert}`](#language.function.insert.php). The default is an
|
2021-12-03 11:59:22 +01:00
|
|
|
empty array.
|
|
|
|
|
|
|
|
|
|
- `$trusted_uri` is an array of regular expressions matching URIs that
|
|
|
|
|
are considered trusted. This security directive used by
|
|
|
|
|
[`{fetch}`](#language.function.fetch) and
|
|
|
|
|
[`{html_image}`](#language.function.html.image). URIs passed to
|
|
|
|
|
these functions are reduced to `{$PROTOCOL}://{$HOSTNAME}` to allow
|
|
|
|
|
simple regular expressions (without having to deal with edge cases
|
|
|
|
|
like authentication-tokens).
|
|
|
|
|
|
|
|
|
|
The expression `'#https?://.*smarty.net$#i'` would allow accessing
|
2022-10-22 22:08:38 +02:00
|
|
|
the following URIs:
|
2021-12-03 11:59:22 +01:00
|
|
|
|
|
|
|
|
- `http://smarty.net/foo`
|
|
|
|
|
|
|
|
|
|
- `http://smarty.net/foo`
|
|
|
|
|
|
|
|
|
|
- `http://www.smarty.net/foo`
|
|
|
|
|
|
|
|
|
|
- `http://smarty.net/foo`
|
|
|
|
|
|
|
|
|
|
- `https://foo.bar.www.smarty.net/foo/bla?blubb=1`
|
|
|
|
|
|
|
|
|
|
but deny access to these URIs:
|
|
|
|
|
|
|
|
|
|
- `http://smarty.com/foo` (not matching top-level domain \"com\")
|
|
|
|
|
|
|
|
|
|
- `ftp://www.smarty.net/foo` (not matching protocol \"ftp\")
|
|
|
|
|
|
|
|
|
|
- `http://www.smarty.net.otherdomain.com/foo` (not matching end of
|
|
|
|
|
domain \"smarty.net\")
|
|
|
|
|
|
|
|
|
|
- `$static_classes` is an array of classes that are considered
|
|
|
|
|
trusted. The default is an empty array which allows access to all
|
|
|
|
|
static classes. To disable access to all static classes set
|
|
|
|
|
\$static\_classes = null.
|
|
|
|
|
|
|
|
|
|
- `$streams` is an array of streams that are considered trusted and
|
|
|
|
|
can be used from within template. To disable access to all streams
|
|
|
|
|
set \$streams = null. An empty array ( \$streams = array() ) will
|
|
|
|
|
allow all streams. The default is array(\'file\').
|
|
|
|
|
|
|
|
|
|
- `$allowed_modifiers` is an array of (registered / autoloaded)
|
|
|
|
|
modifiers that should be accessible to the template. If this array
|
|
|
|
|
is non-empty, only the herein listed modifiers may be used. This is
|
|
|
|
|
a whitelist.
|
|
|
|
|
|
|
|
|
|
- `$disabled_modifiers` is an array of (registered / autoloaded)
|
|
|
|
|
modifiers that may not be accessible to the template.
|
|
|
|
|
|
|
|
|
|
- `$allowed_tags` is a boolean flag which controls if constants can
|
|
|
|
|
function-, block and filter plugins that should be accessible to the
|
|
|
|
|
template. If this array is non-empty, only the herein listed
|
|
|
|
|
modifiers may be used. This is a whitelist.
|
|
|
|
|
|
|
|
|
|
- `$disabled_tags` is an array of (registered / autoloaded) function-,
|
|
|
|
|
block and filter plugins that may not be accessible to the template.
|
|
|
|
|
|
|
|
|
|
- `$allow_constants` is a boolean flag which controls if constants can
|
|
|
|
|
be accessed by the template. The default is \"true\".
|
|
|
|
|
|
|
|
|
|
- `$allow_super_globals` is a boolean flag which controls if the PHP
|
|
|
|
|
super globals can be accessed by the template. The default is
|
|
|
|
|
\"true\".
|
|
|
|
|
|
|
|
|
|
If security is enabled, no private methods, functions or properties of
|
2022-09-27 12:21:01 +02:00
|
|
|
static classes or assigned objects can be accessed (beginning with
|
2021-12-03 11:59:22 +01:00
|
|
|
\'\_\') by the template.
|
|
|
|
|
|
|
|
|
|
To customize the security policy settings you can extend the
|
|
|
|
|
Smarty\_Security class or create an instance of it.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<?php
|
|
|
|
|
|
2022-12-22 22:38:37 +01:00
|
|
|
class My_Security_Policy extends \Smarty\Security {
|
2023-01-07 23:06:47 +01:00
|
|
|
public $allow_constants = false;
|
2021-12-03 11:59:22 +01:00
|
|
|
}
|
|
|
|
|
$smarty = new Smarty();
|
|
|
|
|
// enable security
|
|
|
|
|
$smarty->enableSecurity('My_Security_Policy');
|
|
|
|
|
?>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<?php
|
|
|
|
|
$smarty = new Smarty();
|
2022-12-22 22:38:37 +01:00
|
|
|
$my_security_policy = new \Smarty\Security($smarty);
|
2023-01-07 23:06:47 +01:00
|
|
|
$my_security_policy->allow_constants = false;
|
2021-12-03 11:59:22 +01:00
|
|
|
// enable security
|
|
|
|
|
$smarty->enableSecurity($my_security_policy);
|
|
|
|
|
?>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<?php
|
|
|
|
|
require 'Smarty.class.php';
|
|
|
|
|
$smarty = new Smarty();
|
|
|
|
|
// enable default security
|
|
|
|
|
$smarty->enableSecurity();
|
|
|
|
|
?>
|
|
|
|
|
|
|
|
|
|
> **Note**
|
|
|
|
|
>
|
|
|
|
|
> Most security policy settings are only checked when the template gets
|
2022-10-22 22:08:38 +02:00
|
|
|
> compiled. For that reason you should delete all cached and compiled
|
2021-12-03 11:59:22 +01:00
|
|
|
> template files when you change your security settings.
|
