security can now disable special $smarty variables

see also NEW_FEATURES.txt

libs/sysplugins/smarty_security.php

@@ -115,6 +115,12 @@ class Smarty_Security
      * @var array
      */
     public $disabled_modifiers = array();
+    /**
+     * This is an array of disabled special $smarty variables.
+     *
+     * @var array
+     */
+    public $disabled_special_smarty_vars = array();
     /**
      * This is an array of trusted streams.
      * If empty all streams are allowed.
@@ -273,6 +279,25 @@ class Smarty_Security
 
         return false; // should not, but who knows what happens to the compiler in the future?
     }
+    /**
+     * Check if special $smarty variable is trusted.
+     *
+     * @param  string $var_name
+     * @param  object $compiler compiler object
+     *
+     * @return boolean                 true if tag is trusted
+     * @throws SmartyCompilerException if modifier is not trusted
+     */
+    public function isTrustedSpecialSmartyVar($var_name, $compiler)
+    {
+        if (!in_array($var_name, $this->disabled_special_smarty_vars)) {
+            return true;
+        } else {
+            $compiler->trigger_template_error("special variable '\$smarty.{$var_name}' not allowed by security setting", $compiler->lex->taglineno);
+        }
+
+        return false; // should not, but who knows what happens to the compiler in the future?
+    }
 
     /**
      * Check if modifier plugin is trusted.