security can now disable special $smarty variables

see also NEW_FEATURES.txt

NEW_FEATURES.txt

@@ -11,3 +11,11 @@ Smarty 3.1.22
      - Class names              like    foo\bar\Baz::FOO, foo\bar\Baz::$foo, foo\bar\Baz::foo()
      - PHP function names       like    foo\bar\baz()
 
+    Security
+    ========
+    The Smarty_Security class has the new property $disabled_special_smarty_vars.
+    It's an array which can be loaded with the $smarty special variable names like
+    'template_object', 'template', 'current_dir' and others which will be disabled.
+    Note: That this security checking is performed at compile time.
+
+    

change_log.txt

@@ -1,4 +1,8 @@
  ===== 3.1.22-dev ===== (xx.xx.2014)
+ 29.12.2014
+ - new feature security can now disable special $smarty variables listed in property $disabled_special_smarty_vars
+       see also NEW_FEATURES.txt (forum 25370)
+ 
  27.12.2014
   - bugfix clear internal _is_file_cache when plugins_dir was modified
 

libs/sysplugins/smarty_internal_compile_private_special_variable.php

@@ -30,6 +30,7 @@ class Smarty_Internal_Compile_Private_Special_Variable extends Smarty_Internal_C
         $_index = preg_split("/\]\[/", substr($parameter, 1, strlen($parameter) - 2));
         $compiled_ref = ' ';
         $variable = trim($_index[0], "'");
+        if (!isset($compiler->smarty->security_policy) || $compiler->smarty->security_policy->isTrustedSpecialSmartyVar($variable, $compiler)) {
             switch ($variable) {
                 case 'foreach':
                     return "\$_smarty_tpl->getVariable('smarty')->value$parameter";
@@ -79,7 +80,7 @@ class Smarty_Internal_Compile_Private_Special_Variable extends Smarty_Internal_C
                         $compiler->trigger_template_error("(secure mode) constants not permitted");
                         break;
                     }
-                if( strpos( $_index[1], '$') === false ){
+                    if (strpos($_index[1], '$') === false) {
                         return "@constant('{$_index[1]}')";
                     } else {
                         return "@constant({$_index[1]})";
@@ -111,7 +112,7 @@ class Smarty_Internal_Compile_Private_Special_Variable extends Smarty_Internal_C
                     $compiled_ref = $compiled_ref . "[$_ind]";
                 }
             }
-
+        }
         return $compiled_ref;
     }
 }

libs/sysplugins/smarty_security.php

@@ -115,6 +115,12 @@ class Smarty_Security
      * @var array
      */
     public $disabled_modifiers = array();
+    /**
+     * This is an array of disabled special $smarty variables.
+     *
+     * @var array
+     */
+    public $disabled_special_smarty_vars = array();
     /**
      * This is an array of trusted streams.
      * If empty all streams are allowed.
@@ -273,6 +279,25 @@ class Smarty_Security
 
         return false; // should not, but who knows what happens to the compiler in the future?
     }
+    /**
+     * Check if special $smarty variable is trusted.
+     *
+     * @param  string $var_name
+     * @param  object $compiler compiler object
+     *
+     * @return boolean                 true if tag is trusted
+     * @throws SmartyCompilerException if modifier is not trusted
+     */
+    public function isTrustedSpecialSmartyVar($var_name, $compiler)
+    {
+        if (!in_array($var_name, $this->disabled_special_smarty_vars)) {
+            return true;
+        } else {
+            $compiler->trigger_template_error("special variable '\$smarty.{$var_name}' not allowed by security setting", $compiler->lex->taglineno);
+        }
+
+        return false; // should not, but who knows what happens to the compiler in the future?
+    }
 
     /**
      * Check if modifier plugin is trusted.