smarty/libs/sysplugins/internal.security_handler.php

<?php
/**
* Smarty Internal Plugin Security Handler
* 
* @package Smarty
* @subpackage Security
* @author Uwe Tews 
*/
/**
* This class contains all methods for security checking
*/
class Smarty_Internal_Security_Handler {
    function __construct($smarty)
    {
        $this->smarty = $smarty;
    } 
    /**
    * Check if PHP function is trusted.
    * 
    * @param string $function_name 
    * @param object $compiler compiler object
    * @return boolean true if function is trusted
    */
    function isTrustedPhpFunction($function_name, $compiler)
    {
        if (empty($this->smarty->security_policy->php_functions) || in_array($function_name, $this->smarty->security_policy->php_functions)) {
            return true;
        } else {
            $compiler->trigger_template_error ("PHP function \"" . $function_name . "\" not allowed by security setting");
            return false;
        } 
    } 

    /**
    * Check if modifier is trusted.
    * 
    * @param string $modifier_name 
    * @param object $compiler compiler object
    * @return boolean true if modifier is trusted
    */
    function isTrustedModifier($modifier_name, $compiler)
    {
        if (empty($this->smarty->security_policy->modifiers) || in_array($modifier_name, $this->smarty->security_policy->modifiers)) {
            return true;
        } else {
            $compiler->trigger_template_error ("modifier \"" . $modifier_name . "\" not allowed by security setting");
            return false;
        } 
    } 
    /**
    * Check if stream is trusted.
    * 
    * @param string $stream_name 
    * @param object $compiler compiler object
    * @return boolean true if stream is trusted
    */
    function isTrustedStream($stream_name)
    {
        if (empty($this->smarty->security_policy->streams) || in_array($stream_name, $this->smarty->security_policy->streams)) {
            return true;
        } else {
            throw new Exception ("stream \"" . $stream_name . "\" not allowed by security setting");
            return false;
        } 
    } 

    /**
    * Check if directory of file resource is trusted.
    * 
    * @param string $filepath 
    * @param object $compiler compiler object
    * @return boolean true if directory is trusted
    */
    function isTrustedResourceDir($filepath)
    {
        $_rp = realpath($filepath);
        if (isset($this->smarty->template_dir)) {
            foreach ((array)$this->smarty->template_dir as $curr_dir) {
                if (($_cd = realpath($curr_dir)) !== false &&
                        strncmp($_rp, $_cd, strlen($_cd)) == 0 &&
                        (strlen($_rp) == strlen($_cd) || substr($_rp, strlen($_cd), 1) == DIRECTORY_SEPARATOR)) {
                    return true;
                } 
            } 
        } 
        if (!empty($this->smarty->security_policy->secure_dir)) {
            foreach ((array)$this->smarty->security_policy->secure_dir as $curr_dir) {
                if (($_cd = realpath($curr_dir)) !== false) {
                    if ($_cd == $_rp) {
                        return true;
                    } elseif (strncmp($_rp, $_cd, strlen($_cd)) == 0 &&
                            (strlen($_rp) == strlen($_cd) || substr($_rp, strlen($_cd), 1) == DIRECTORY_SEPARATOR)) {
                        return true;
                    } 
                } 
            } 
        } 

        throw new Exception ("directory \"" . $_rp . "\" not allowed by security setting");
        return false;
    } 
    /**
    * Check if directory of file resource is trusted.
    * 
    * @param string $filepath 
    * @param object $compiler compiler object
    * @return boolean true if directory is trusted
    */
    function isTrustedPHPDir($filepath)
    {
        $_rp = realpath($filepath);
        if (!empty($this->smarty->security_policy->trusted_dir)) {
            foreach ((array)$this->smarty->security_policy->trusted_dir as $curr_dir) {
                if (($_cd = realpath($curr_dir)) !== false) {
                    if ($_cd == $_rp) {
                        return true;
                    } elseif (strncmp($_rp, $_cd, strlen($_cd)) == 0 &&
                            substr($_rp, strlen($_cd), 1) == DIRECTORY_SEPARATOR) {
                        return true;
                    } 
                } 
            } 
        } 

        throw new Exception ("directory \"" . $_rp . "\" not allowed by security setting");
        return false;
    } 
} 

?>
rearrange things into distribution and development directories 2009-03-22 16:09:05 +00:00			`<?php`
			`/**`
			`* Smarty Internal Plugin Security Handler`
			`*`
			`* @package Smarty`
			`* @subpackage Security`
			`* @author Uwe Tews`
			`*/`
			`/**`
			`* This class contains all methods for security checking`
			`*/`
- removed all internal calls of Smarty::instance() - fixed code in double quoted strings 2009-08-08 17:28:23 +00:00			`class Smarty_Internal_Security_Handler {`
			`function __construct($smarty)`
			`{`
			`$this->smarty = $smarty;`
			`}`
rearrange things into distribution and development directories 2009-03-22 16:09:05 +00:00			`/**`
			`* Check if PHP function is trusted.`
			`*`
			`* @param string $function_name`
			`* @param object $compiler compiler object`
			`* @return boolean true if function is trusted`
			`*/`
			`function isTrustedPhpFunction($function_name, $compiler)`
			`{`
			`if (empty($this->smarty->security_policy->php_functions) \|\| in_array($function_name, $this->smarty->security_policy->php_functions)) {`
			`return true;`
			`} else {`
			`$compiler->trigger_template_error ("PHP function \"" . $function_name . "\" not allowed by security setting");`
			`return false;`
			`}`
			`}`

			`/**`
			`* Check if modifier is trusted.`
			`*`
			`* @param string $modifier_name`
			`* @param object $compiler compiler object`
			`* @return boolean true if modifier is trusted`
			`*/`
			`function isTrustedModifier($modifier_name, $compiler)`
			`{`
			`if (empty($this->smarty->security_policy->modifiers) \|\| in_array($modifier_name, $this->smarty->security_policy->modifiers)) {`
			`return true;`
			`} else {`
			`$compiler->trigger_template_error ("modifier \"" . $modifier_name . "\" not allowed by security setting");`
			`return false;`
			`}`
			`}`
- added trusted stream checking to security - internal changes at file dependency check for caching 2009-04-26 16:56:17 +00:00			`/**`
			`* Check if stream is trusted.`
			`*`
			`* @param string $stream_name`
			`* @param object $compiler compiler object`
			`* @return boolean true if stream is trusted`
			`*/`
			`function isTrustedStream($stream_name)`
			`{`
			`if (empty($this->smarty->security_policy->streams) \|\| in_array($stream_name, $this->smarty->security_policy->streams)) {`
			`return true;`
			`} else {`
			`throw new Exception ("stream \"" . $stream_name . "\" not allowed by security setting");`
			`return false;`
			`}`
			`}`
rearrange things into distribution and development directories 2009-03-22 16:09:05 +00:00
			`/**`
			`* Check if directory of file resource is trusted.`
			`*`
			`* @param string $filepath`
			`* @param object $compiler compiler object`
			`* @return boolean true if directory is trusted`
			`*/`
			`function isTrustedResourceDir($filepath)`
			`{`
			`$_rp = realpath($filepath);`
			`if (isset($this->smarty->template_dir)) {`
			`foreach ((array)$this->smarty->template_dir as $curr_dir) {`
			`if (($_cd = realpath($curr_dir)) !== false &&`
			`strncmp($_rp, $_cd, strlen($_cd)) == 0 &&`
- bugfix smarty.class and internal.security_handler - added compile_check configuration - added all setter/getter methodes 2009-03-31 14:20:10 +00:00			`(strlen($_rp) == strlen($_cd) \|\| substr($_rp, strlen($_cd), 1) == DIRECTORY_SEPARATOR)) {`
rearrange things into distribution and development directories 2009-03-22 16:09:05 +00:00			`return true;`
			`}`
			`}`
			`}`
			`if (!empty($this->smarty->security_policy->secure_dir)) {`
			`foreach ((array)$this->smarty->security_policy->secure_dir as $curr_dir) {`
			`if (($_cd = realpath($curr_dir)) !== false) {`
			`if ($_cd == $_rp) {`
			`return true;`
			`} elseif (strncmp($_rp, $_cd, strlen($_cd)) == 0 &&`
- added trusted stream checking to security - internal changes at file dependency check for caching 2009-04-26 16:56:17 +00:00			`(strlen($_rp) == strlen($_cd) \|\| substr($_rp, strlen($_cd), 1) == DIRECTORY_SEPARATOR)) {`
rearrange things into distribution and development directories 2009-03-22 16:09:05 +00:00			`return true;`
			`}`
			`}`
			`}`
			`}`

			`throw new Exception ("directory \"" . $_rp . "\" not allowed by security setting");`
			`return false;`
			`}`
			`/**`
			`* Check if directory of file resource is trusted.`
			`*`
			`* @param string $filepath`
			`* @param object $compiler compiler object`
			`* @return boolean true if directory is trusted`
			`*/`
			`function isTrustedPHPDir($filepath)`
			`{`
			`$_rp = realpath($filepath);`
- added trusted stream checking to security - internal changes at file dependency check for caching 2009-04-26 16:56:17 +00:00			`if (!empty($this->smarty->security_policy->trusted_dir)) {`
rearrange things into distribution and development directories 2009-03-22 16:09:05 +00:00			`foreach ((array)$this->smarty->security_policy->trusted_dir as $curr_dir) {`
			`if (($_cd = realpath($curr_dir)) !== false) {`
			`if ($_cd == $_rp) {`
			`return true;`
			`} elseif (strncmp($_rp, $_cd, strlen($_cd)) == 0 &&`
			`substr($_rp, strlen($_cd), 1) == DIRECTORY_SEPARATOR) {`
			`return true;`
			`}`
			`}`
			`}`
			`}`

			`throw new Exception ("directory \"" . $_rp . "\" not allowed by security setting");`
			`return false;`
			`}`
			`}`

			`?>`