update if statement security feature

This commit is contained in:
mohrt
2001-06-15 13:52:52 +00:00
parent a3ac875225
commit 282d2e5e42
3 changed files with 16 additions and 6 deletions

View File

@@ -485,6 +485,12 @@ class Smarty_Compiler extends Smarty {
$is_arg_stack = array(); $is_arg_stack = array();
for ($i = 0; $i < count($tokens); $i++) { for ($i = 0; $i < count($tokens); $i++) {
if($this->security && $tokens[$i+1] == '(' && !in_array($tokens[$i],$this->security_settings["ALLOW_IF_FUNCS"])) {
$this->_syntax_error("(secure mode) '".$tokens[$i]."' not allowed in if statement");
}
$token = &$tokens[$i]; $token = &$tokens[$i];
switch ($token) { switch ($token) {
case 'eq': case 'eq':

View File

@@ -2712,12 +2712,10 @@ OUTPUT:
include a trailing slash on your web page fetches where necessary. include a trailing slash on your web page fetches where necessary.
</para> </para>
<para> <para>
TECHNICAL NOTE: This function may be a security concern if you are TECHNICAL NOTE: If template security is turned on and you are
allowing third parties to modify templates. i.e., they can access fetching a file from the local file system, this will only allow
files on your system out side of the template directory. To disable files from within one of the defined secure directories.
this function, <link ($secure_dir)
linkend="api.unregister.function">unregister</link> it in your
application.
</para> </para>
<example> <example>
<title>fetch</title> <title>fetch</title>

View File

@@ -485,6 +485,12 @@ class Smarty_Compiler extends Smarty {
$is_arg_stack = array(); $is_arg_stack = array();
for ($i = 0; $i < count($tokens); $i++) { for ($i = 0; $i < count($tokens); $i++) {
if($this->security && $tokens[$i+1] == '(' && !in_array($tokens[$i],$this->security_settings["ALLOW_IF_FUNCS"])) {
$this->_syntax_error("(secure mode) '".$tokens[$i]."' not allowed in if statement");
}
$token = &$tokens[$i]; $token = &$tokens[$i];
switch ($token) { switch ($token) {
case 'eq': case 'eq':