smarty-php/smarty
1
0
Fork 0
mirror of https://github.com/smarty-php/smarty.git synced 2025-10-05 16:50:54 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
ab247c723b58743f3ba9fe95dc13e91e11d9fc97
smarty/docs/api/security.md

120 lines
4.1 KiB
Markdown
Raw Normal View History

Smarty5 (#852) * WIP converting code to PSR-4 * More PSR4 rewriting * Removed autoload filters * WIP making compile classes PSR-4 * WIP making compile classes PSR-4 * Replace Smarty:: with symfony/polyfill-mbstring * WIP making compile classes PSR-4 * finished rewriting all compile classes into PSR-4 * Rewrote all Compile and Compiler classes to PSR-4 * WIP rewriting smarty_internal_method_* * Finished moving smarty_internal_method_* * smarty_internal_resource_* to PSR-4 * Refactored all _runtime_* by merging them into the proper classes or by transforming them into Runtime Extensions. * src/Template/* to PSR-4 * src/sysplugins/* to PSR-4 * Entire src dir now PSR-4 compatible * Add makefile, PSR-4 ModifierCompilers * Rewrote all default modifiers and functions from the plugins folder to PSR-4 classes * Rewrote remaining plugins to PSR-4, plugins dir is now gone. * WIP moving Smarty to PSR-4. * fixed pre/post/output filters and removed some old todo-comments * filter tests passing * Fixed TemplateObject test * Fix CustomResourceAmbiguousTest * Fixed CacheResource implementation and tests * Fixed setfilter * Fixed DefaultPluginHandlerTest for function plugins (blocks still break) * move runPluginFromDefaultHandler to new Runtime class * Introduce formatParamsArray method for recurring code fragment * Fix code duplication in block compilers and fix (most) BlockPluginTests. Default plugin handler blocks still need fixing. * minor fixes * Implemented the DefaultHandlerBlockCompiler, made the dependencies of the template compiler into properties, fixed a couple of unit tests * Removed support for PHP include path, and removed the ::loadPlugin method. * Removed now unneeded PHPunit annotations @run(Tests)InSeparateProcess, @preserveGlobalState and @backupStaticAttributes. Made CacheResourceTestCommon abstract to prevent the base class from running tests (and always failing). Unregister a previously registered stream wrapper. Fixes a lot of tests. * Fix scoping / global state problems in tests by using DI in Default Extension. Also removing a bunch of old fashioned phpdoc annotations that are superseded by namespaces. * Make DefaultExtension lazy load again. * Removed deprecated extends_recursion property and fix bug in CodeFrame compiler due to use of clone. * Fixed BC loading of resource pluging from dir and all ResourcePluginTest tests * Removed PHP functions and checks for the already removed php modifiers. Re-implemented functions as regular functions. Probably should compile these directly. * Fixed stream resources * 2 small fixes for unit tests * Fixed modifiercompiler handling multiple/chained modifiers * Rewrote global static global_tpl_vars to getters/setters on Smarty class, fixing several test cases. Added a ::getValue() method to Variable. * Fixed issue related to scoping of left/right delimiter overrides * Added strlen function, fixing some unit tests * Fix bug in calling BC function handlers. * WIP replacing direct access tpl_vars with proper getter/setters. * WIP * WIP rewriting variable scopes * WIP fixing the complicated variables scopes architecture. Right now more tests are failing than before... :( * Fixed minor unit tests * Made variable scoping more sensible * Fix configfile tests * removed phpplugin, removed now unused uncompiled handler and all checks for this, fixed a refactorbug in InheritanceRuntime. Moved getRenderedTemplateCode method to Smarty\Template. Renamed Cache en Compiled base class to GeneratedPhpFile for more clarity and distinction from Resource classes. Inlined Cached::create into its only caller. Some other minor improvements. Removed php7.1 CI tests. * Removed the allowUndefinedVars check from the smarty error handlers, because undefined vars no longer throw an error, unless smarty->error_unassigned is set to true. * Replace direct access to inheritance property on Template object by proper getter. * converted 3 public properties on Template into getters/setters. unified Template creation code. Provided a getter/setter for the has_nocache_code property. Removed the useless DataObject class. Fixed a few tests. Removed the variable-allow-php-templates property from the docs. * Simplified the (no)caching architecture by: - removing support for $cache_attrs for registered plugins, - removing the undocumented {make_nocache} tag and the deprecated {insert} tag and associated code - removing support for a compile_id property on include tags. Fixes a bug in extends: resources by propagating the nocache-hashes between a master template and it's subtemplates in \Smarty\Template::_subTemplateRender. This might need further improvement. * Removed unneeded magic setters/getters/destructors and the like. * Replaced a bunch of direct property access with getters/setters. * Update test runners: no longer support PHP7.1, add PHP8.2 * Fixed scope in variable assignments in included and extended templates, fixed dependencies for testing freshness of caches. Added some unit tests and fixed a class reference to pass some more tests. * Fix searchParents parameter, fixing GetTemplateVarsTest * @var integer > @var int for vsCode * Fix function caching function name * Fixed cacheability of block plugins. * Moved handling of smarty.block.* to special compilers, because they aren't real tags. Organized tag-stack handling in compiler, unified nocache handling in compiler. * Fixed block append/prepend functionality * Fix testRegisterCompilerFunction by parsing argument correctly. * Made exception msgs exactly the same again, fixing some unit tests * Fix default plugin handler * Simply the "isFresh" method by not including the first param anymore. Fix a couple of unit tests by respecting tag_nocache set by nocache vars used in a tag. * Removed the undocumented {block_parent} and {parent} alternatives to {$smarty.block.parent} and {block_child} and {child} alternatives to {$smarty.block.child} * Fix inhertiance implementation for $smarty.block.child * Fixed all inheritance issues * Handle BC registered compilers and missed parameters for openTag and closeTag. * Fix all foreach unit tests * Fixed the {if} failures. * Fix major {include} bug * Fixed bug in {include} variable assignment and removed some unused/unrequired code * Fix function call compilation using {functionname} syntax for in-template defined functions. * Drop a unit tests bc we no longer support direct access to PHP-functinos such as sin() * Fixed all scope assignment bugs * Convert isset and empty to modifiercomilers, and smooth the error handling to fix unit tests. * Fixed getCachedContent * Add TODO list * Run composer install before online test run * Attempt to fix CI * revise CI/CD workflows, bypass packagist for lexer * Update ci.yml * Update ci.yml * fixes in source files * Update ci.yml * Update ci.yml * attempt to load smarty-lexer directly from zip file * Shouldnt need Github token now * correct type of repository * Updated the changelog * Re-organized rendering (read source / compile / cache) process to avoid circular dependencies. Deactivated merge_compiled_includes and the {include inline} attribute. They don't seem to do much in terms of performance, but we'll have to check back. * updated todo * Fix smarty-lexer dependency for the time being * Fix smarty-lexer dependency for the time being (remove direct ref to github) * Pushed Lexers/Parsers into VCS again in order to be able to deliver using Packagist/Composer * Re-organized rendering (read source / compile / cache) process to avoid circular dependencies. * Run make regardless of timestamps, so we are sure unit tests run with the generated PHP code, not with accidental human made changes to Lexer/Parser. * Update composer packages cache key Update composer packages cache key to trigger refresh on lexer * 4.0.2 of smarty-lexer is released, use that * Throw compile error when using a modifier where it won't work. Fixes #526. * verify that native PHP functions cannot be used as a modifier and verify that an easy userland workaround exists. Fixes #813. * Add test for registering compiler plugin with positional params. Fixes #164 * move test methods because some other test methods rely on their relative positions * Smarty no longer calls `mb_internal_encoding()` and doesn't check for deprecated `mbstring.func_overload` ini directive. Fixes #480. * Generated `<script>` tags lo longer have deprecated `type="text/javascript"` or `language="Javascript"` attributes. Fixes #815. * Fix error in docs on prepend/append. Fixes #818. * Move all creating of templates to Smarty::createTemplate, adding a private property containing previously generated templates for speed. * Load compiled object in template constructor so it will be cached. * WIP for performance improvements. Removed $smarty->_current_file and $smarty->allow_ambiguous_resources properties, both unused. Removed public Source::filepath property. Cached an Compiled files (and Exceptions) no longer rely on the filepath being set. Removed explicit tests for cached and compiled filenames. The exact implementation is not important. Added tests for compile_check property, fixing a file_exists check that would always be done on source template files, even when compile_check was true. Remove code duplication between Source en Config classes. Added a local $_smarty_current_dir to the generated code files for backwards compatability for {$smarty.current_dir}. * remove additional calls to getCached() * updated todo * Add mkdocs for docs * add missing folder for unit tests * Revert latest CI changes, we'll update docs by hand for now * multiversion mkdocs config * fixes to docs * WIP improving the docs * Improved another chunk of the designers docs * Finished improving designers docs * Update code examples to use Smarty\Smarty and autoload instead of require_once calls and new Smarty * Further WIP improving docs * Updated changelog and todo list * WIP on API docs * WIP docs (added page on config) * Fixed markdown syntax. Fixes #879 * Added full support and documentation for ternary operator. Fixes #881 * updated changelog * fixed error in the mkdocs TOC * Added support for null coalescing operator Fixes #882 * Add docs for null coalescing * more docs * Improved docs on compile checking and inheritance * Rewrote docs on filters and resources. * Add makefile entries for generating docs * Docs on caching * finished docs on security and extending smarty * Added Smarty::setExtensions(), fixed unit test for the null coalescing operator. Updated docs about registering a custom extension. * updated todos * fix template invalidation when migrating to 5.0
2023-08-08 00:04:14 +02:00
# Security
Security is good for situations when you have untrusted parties editing
the templates, and you want to reduce the risk of system
security compromises through the template language.
The settings of the security policy are defined by overriding public properties of an
instance of the \Smarty\Security class. These are the possible settings:
- `$secure_dir` is an array of template directories that are
considered secure. A directory configured using `$smarty->setTemplateDir()` is
considered secure implicitly. The default is an empty array.
- `$trusted_uri` is an array of regular expressions matching URIs that
are considered trusted. This security directive is used by
[`{fetch}`](../designers/language-custom-functions/language-function-fetch.md) and
[`{html_image}`](../designers/language-custom-functions/language-function-html-image.md). URIs passed to
these functions are reduced to `{$PROTOCOL}://{$HOSTNAME}` to allow
simple regular expressions (without having to deal with edge cases
like authentication-tokens).
The expression `'#https?://.*smarty.net$#i'` would allow accessing
the following URIs:
- `http://smarty.net/foo`
- `http://smarty.net/foo`
- `http://www.smarty.net/foo`
- `http://smarty.net/foo`
- `https://foo.bar.www.smarty.net/foo/bla?blubb=1`
but deny access to these URIs:
- `http://smarty.com/foo` (not matching top-level domain \"com\")
- `ftp://www.smarty.net/foo` (not matching protocol \"ftp\")
- `http://www.smarty.net.otherdomain.com/foo` (not matching end of
domain \"smarty.net\")
- `$static_classes` is an array of classes that are considered
trusted. The default is an empty array which allows access to all
static classes. To disable access to all static classes set
$static_classes = null.
- `$streams` is an array of streams that are considered trusted and
can be used from within template. To disable access to all streams
set $streams = null. An empty array ( $streams = [] ) will
allow all streams. The default is array('file').
- `$allowed_modifiers` is an array of (registered / autoloaded)
modifiers that should be accessible to the template. If this array
is non-empty, only the herein listed modifiers may be used. This is
a whitelist.
- `$disabled_modifiers` is an array of (registered / autoloaded)
modifiers that may not be accessible to the template.
- `$allowed_tags` is a boolean flag which controls if constants can
function-, block and filter plugins that should be accessible to the
template. If this array is non-empty, only the herein listed
modifiers may be used. This is a whitelist.
- `$disabled_tags` is an array of (registered / autoloaded) function-,
block and filter plugins that may not be accessible to the template.
- `$allow_constants` is a boolean flag which controls if constants can
be accessed by the template. The default is "true".
- `$allow_super_globals` is a boolean flag which controls if the PHP
super globals can be accessed by the template. The default is
"true".
If security is enabled, no private methods, functions or properties of
static classes or assigned objects can be accessed (beginning with
'_') by the template.
To customize the security policy settings you can extend the
\Smarty\Security class or create an instance of it.
```php
<?php
use Smarty\Smarty;
class My_Security_Policy extends \Smarty\Security {
public $allow_constants = false;
}
$smarty = new Smarty();
$smarty->enableSecurity('My_Security_Policy');
```
```php
<?php
use Smarty\Smarty;
$smarty = new Smarty();
$my_security_policy = new \Smarty\Security($smarty);
$my_security_policy->allow_constants = false;
$smarty->enableSecurity($my_security_policy);
```
```php
<?php
use Smarty\Smarty;
$smarty = new Smarty();
// enable default security
$smarty->enableSecurity();
```
> **Note**
>
> Most security policy settings are only checked when the template gets
> compiled. For that reason you should delete all cached and compiled
> template files when you change your security settings.
Reference in New Issue Copy Permalink