security can now disable special $smarty variables

see also NEW_FEATURES.txt
2025-08-06 11:24:27 +02:00 · 2014-12-29 21:59:23 +01:00
parent 49a3427515
commit 1da50aa61d
4 changed files with 107 additions and 69 deletions
--- a/NEW_FEATURES.txt
+++ b/NEW_FEATURES.txt
@@ -11,3 +11,11 @@ Smarty 3.1.22
     - Class names              like    foo\bar\Baz::FOO, foo\bar\Baz::$foo, foo\bar\Baz::foo()
     - PHP function names       like    foo\bar\baz()

+    Security
+    ========
+    The Smarty_Security class has the new property $disabled_special_smarty_vars.
+    It's an array which can be loaded with the $smarty special variable names like
+    'template_object', 'template', 'current_dir' and others which will be disabled.
+    Note: That this security checking is performed at compile time.
+
+    
--- a/change_log.txt
+++ b/change_log.txt
@@ -1,4 +1,8 @@
 ===== 3.1.22-dev ===== (xx.xx.2014)
+ 29.12.2014
+ - new feature security can now disable special $smarty variables listed in property $disabled_special_smarty_vars
+       see also NEW_FEATURES.txt (forum 25370)
+ 
 27.12.2014
  - bugfix clear internal _is_file_cache when plugins_dir was modified

--- a/libs/sysplugins/smarty_internal_compile_private_special_variable.php
+++ b/libs/sysplugins/smarty_internal_compile_private_special_variable.php
@@ -30,6 +30,7 @@ class Smarty_Internal_Compile_Private_Special_Variable extends Smarty_Internal_C
        $_index = preg_split("/\]\[/", substr($parameter, 1, strlen($parameter) - 2));
        $compiled_ref = ' ';
        $variable = trim($_index[0], "'");
+        if (!isset($compiler->smarty->security_policy) || $compiler->smarty->security_policy->isTrustedSpecialSmartyVar($variable, $compiler)) {
            switch ($variable) {
                case 'foreach':
                    return "\$_smarty_tpl->getVariable('smarty')->value$parameter";
@@ -111,7 +112,7 @@ class Smarty_Internal_Compile_Private_Special_Variable extends Smarty_Internal_C
                    $compiled_ref = $compiled_ref . "[$_ind]";
                }
            }
-
+        }
        return $compiled_ref;
    }
 }
--- a/libs/sysplugins/smarty_security.php
+++ b/libs/sysplugins/smarty_security.php
@@ -115,6 +115,12 @@ class Smarty_Security
     * @var array
     */
    public $disabled_modifiers = array();
+    /**
+     * This is an array of disabled special $smarty variables.
+     *
+     * @var array
+     */
+    public $disabled_special_smarty_vars = array();
    /**
     * This is an array of trusted streams.
     * If empty all streams are allowed.
@@ -273,6 +279,25 @@ class Smarty_Security

        return false; // should not, but who knows what happens to the compiler in the future?
    }
+    /**
+     * Check if special $smarty variable is trusted.
+     *
+     * @param  string $var_name
+     * @param  object $compiler compiler object
+     *
+     * @return boolean                 true if tag is trusted
+     * @throws SmartyCompilerException if modifier is not trusted
+     */
+    public function isTrustedSpecialSmartyVar($var_name, $compiler)
+    {
+        if (!in_array($var_name, $this->disabled_special_smarty_vars)) {
+            return true;
+        } else {
+            $compiler->trigger_template_error("special variable '\$smarty.{$var_name}' not allowed by security setting", $compiler->lex->taglineno);
+        }
+
+        return false; // should not, but who knows what happens to the compiler in the future?
+    }

    /**
     * Check if modifier plugin is trusted.