- bugfix on expressions in doublequoted string enclosed in backticks

- added security property $static_classes for static class security

change_log.txt

@@ -1,3 +1,7 @@
+24/02/2010
+- bugfix on expressions in doublequoted string enclosed in backticks
+- added security property $static_classes for static class security
+
 18/02/2010
 - bugfix on parsing Smarty tags inside <?xml ... ?>
 - bugfix on truncate modifier

libs/sysplugins/smarty_internal_security_handler.php

@@ -26,11 +26,27 @@ class Smarty_Internal_Security_Handler {
         if (empty($this->smarty->security_policy->php_functions) || in_array($function_name, $this->smarty->security_policy->php_functions)) {
             return true;
         } else {
-            $compiler->trigger_template_error ("PHP function \"" . $function_name . "\" not allowed by security setting");
+            $compiler->trigger_template_error ("PHP function '{$function_name}' not allowed by security setting");
             return false;
         } 
     } 
 
+    /**
+    * Check if static class is trusted.
+    * 
+    * @param string $class_name 
+    * @param object $compiler compiler object
+    * @return boolean true if class is trusted
+    */
+    function isTrustedStaticClass($class_name, $compiler)
+    {
+        if (empty($this->smarty->security_policy->static_classes) || in_array($class_name, $this->smarty->security_policy->static_classes)) {
+            return true;
+        } else {
+            $compiler->trigger_template_error ("access to static class '{$class_name}' not allowed by security setting");
+            return false;
+        } 
+    } 
     /**
     * Check if modifier is trusted.
     * 
@@ -43,7 +59,7 @@ class Smarty_Internal_Security_Handler {
         if (empty($this->smarty->security_policy->modifiers) || in_array($modifier_name, $this->smarty->security_policy->modifiers)) {
             return true;
         } else {
-            $compiler->trigger_template_error ("modifier \"" . $modifier_name . "\" not allowed by security setting");
+            $compiler->trigger_template_error ("modifier '{$modifier_name}' not allowed by security setting");
             return false;
         } 
     } 
@@ -59,7 +75,7 @@ class Smarty_Internal_Security_Handler {
         if (empty($this->smarty->security_policy->streams) || in_array($stream_name, $this->smarty->security_policy->streams)) {
             return true;
         } else {
-            throw new Exception ("stream \"" . $stream_name . "\" not allowed by security setting");
+            throw new Exception ("stream '{$stream_name}' not allowed by security setting");
             return false;
         } 
     } 
@@ -96,7 +112,7 @@ class Smarty_Internal_Security_Handler {
             } 
         } 
 
-        throw new Exception ("directory \"" . $_rp . "\" not allowed by security setting");
+        throw new Exception ("directory '{$_rp}' not allowed by security setting");
         return false;
     } 
     /**
@@ -122,9 +138,9 @@ class Smarty_Internal_Security_Handler {
             } 
         } 
 
-        throw new Exception ("directory \"" . $_rp . "\" not allowed by security setting");
+        throw new Exception ("directory '{$_rp}' not allowed by security setting");
         return false;
     } 
 } 
 
-?>
+?>

libs/sysplugins/smarty_security.php

@@ -44,6 +44,15 @@ class Smarty_Security {
     public $trusted_dir = array();
 
 
+    /**
+    * This is an array of trusted static classes.
+    *
+    * If empty access to all static classes is allowed.
+    * If set to 'none' none is allowed.
+    * @var array 
+    */
+    public $static_classes = array();
+
     /**
     * This is an array of trusted PHP functions.
     *
@@ -85,4 +94,4 @@ class Smarty_Security {
     public $allow_php_tag = false;
 } 
 
-?>
+?>