smarty-php/smarty
1
0
Fork 0
mirror of https://github.com/smarty-php/smarty.git synced 2025-11-03 22:01:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

- added Smarty_Security::isTrustedUri() and Smarty_Security::$trusted_uri to validate remote resource calls through {fetch} and {html_image} (Forum Topic 20627)

Browse Source
This commit is contained in:
rodneyrehm
2011-12-18 22:21:49 +00:00
parent df60ed94fa
commit 2c25a64dd3
4 changed files with 236 additions and 183 deletions
Download Patch File Download Diff File Expand all files Collapse all files

340
libs/plugins/function.fetch.php
View File

@@ -26,188 +26,186 @@ function smarty_function_fetch($params, $template)
trigger_error("[plugin] fetch parameter 'file' cannot be empty",E_USER_NOTICE);
return;
}
// strip file protocol
if (stripos($params['file'], 'file://') === 0) {
$params['file'] = substr($params['file'], 7);
}
$protocol = strpos($params['file'], '://');
if ($protocol !== false) {
$protocol = strtolower(substr($params['file'], 0, $protocol));
}
if (isset($template->smarty->security_policy)) {
if ($protocol) {
// remote resource (or php stream, …)
if(!$template->smarty->security_policy->isTrustedUri($params['file'])) {
return;
}
} else {
// local file
if(!$template->smarty->security_policy->isTrustedResourceDir($params['file'])) {
return;
}
}
}
$content = '';
if (isset($template->smarty->security_policy) && !preg_match('!^(http|ftp)://!i', $params['file'])) {
if(!$template->smarty->security_policy->isTrustedResourceDir($params['file'])) {
return;
}
// fetch the file
if($fp = @fopen($params['file'],'r')) {
while(!feof($fp)) {
$content .= fgets ($fp,4096);
if ($protocol == 'http') {
// http fetch
if($uri_parts = parse_url($params['file'])) {
// set defaults
$host = $server_name = $uri_parts['host'];
$timeout = 30;
$accept = "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*";
$agent = "Smarty Template Engine ". Smarty::SMARTY_VERSION;
$referer = "";
$uri = !empty($uri_parts['path']) ? $uri_parts['path'] : '/';
$uri .= !empty($uri_parts['query']) ? '?' . $uri_parts['query'] : '';
$_is_proxy = false;
if(empty($uri_parts['port'])) {
$port = 80;
} else {
$port = $uri_parts['port'];
}
if(!empty($uri_parts['user'])) {
$user = $uri_parts['user'];
}
if(!empty($uri_parts['pass'])) {
$pass = $uri_parts['pass'];
}
// loop through parameters, setup headers
foreach($params as $param_key => $param_value) {
switch($param_key) {
case "file":
case "assign":
case "assign_headers":
break;
case "user":
if(!empty($param_value)) {
$user = $param_value;
}
break;
case "pass":
if(!empty($param_value)) {
$pass = $param_value;
}
break;
case "accept":
if(!empty($param_value)) {
$accept = $param_value;
}
break;
case "header":
if(!empty($param_value)) {
if(!preg_match('![\w\d-]+: .+!',$param_value)) {
trigger_error("[plugin] invalid header format '".$param_value."'",E_USER_NOTICE);
return;
} else {
$extra_headers[] = $param_value;
}
}
break;
case "proxy_host":
if(!empty($param_value)) {
$proxy_host = $param_value;
}
break;
case "proxy_port":
if(!preg_match('!\D!', $param_value)) {
$proxy_port = (int) $param_value;
} else {
trigger_error("[plugin] invalid value for attribute '".$param_key."'",E_USER_NOTICE);
return;
}
break;
case "agent":
if(!empty($param_value)) {
$agent = $param_value;
}
break;
case "referer":
if(!empty($param_value)) {
$referer = $param_value;
}
break;
case "timeout":
if(!preg_match('!\D!', $param_value)) {
$timeout = (int) $param_value;
} else {
trigger_error("[plugin] invalid value for attribute '".$param_key."'",E_USER_NOTICE);
return;
}
break;
default:
trigger_error("[plugin] unrecognized attribute '".$param_key."'",E_USER_NOTICE);
return;
}
}
if(!empty($proxy_host) && !empty($proxy_port)) {
$_is_proxy = true;
$fp = fsockopen($proxy_host,$proxy_port,$errno,$errstr,$timeout);
} else {
$fp = fsockopen($server_name,$port,$errno,$errstr,$timeout);
}
if(!$fp) {
trigger_error("[plugin] unable to fetch: $errstr ($errno)",E_USER_NOTICE);
return;
} else {
if($_is_proxy) {
fputs($fp, 'GET ' . $params['file'] . " HTTP/1.0\r\n");
} else {
fputs($fp, "GET $uri HTTP/1.0\r\n");
}
if(!empty($host)) {
fputs($fp, "Host: $host\r\n");
}
if(!empty($accept)) {
fputs($fp, "Accept: $accept\r\n");
}
if(!empty($agent)) {
fputs($fp, "User-Agent: $agent\r\n");
}
if(!empty($referer)) {
fputs($fp, "Referer: $referer\r\n");
}
if(isset($extra_headers) && is_array($extra_headers)) {
foreach($extra_headers as $curr_header) {
fputs($fp, $curr_header."\r\n");
}
}
if(!empty($user) && !empty($pass)) {
fputs($fp, "Authorization: BASIC ".base64_encode("$user:$pass")."\r\n");
}
fputs($fp, "\r\n");
while(!feof($fp)) {
$content .= fgets($fp,4096);
}
fclose($fp);
$csplit = preg_split("!\r\n\r\n!",$content,2);
$content = $csplit[1];
if(!empty($params['assign_headers'])) {
$template->assign($params['assign_headers'],preg_split("!\r\n!",$csplit[0]));
}
}
fclose($fp);
} else {
trigger_error('[plugin] fetch cannot read file \'' . $params['file'] . '\'',E_USER_NOTICE);
trigger_error("[plugin fetch] unable to parse URL, check syntax",E_USER_NOTICE);
return;
}
} else {
// not a local file
if(preg_match('!^http://!i',$params['file'])) {
// http fetch
if($uri_parts = parse_url($params['file'])) {
// set defaults
$host = $server_name = $uri_parts['host'];
$timeout = 30;
$accept = "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*";
$agent = "Smarty Template Engine ". Smarty::SMARTY_VERSION;
$referer = "";
$uri = !empty($uri_parts['path']) ? $uri_parts['path'] : '/';
$uri .= !empty($uri_parts['query']) ? '?' . $uri_parts['query'] : '';
$_is_proxy = false;
if(empty($uri_parts['port'])) {
$port = 80;
} else {
$port = $uri_parts['port'];
}
if(!empty($uri_parts['user'])) {
$user = $uri_parts['user'];
}
if(!empty($uri_parts['pass'])) {
$pass = $uri_parts['pass'];
}
// loop through parameters, setup headers
foreach($params as $param_key => $param_value) {
switch($param_key) {
case "file":
case "assign":
case "assign_headers":
break;
case "user":
if(!empty($param_value)) {
$user = $param_value;
}
break;
case "pass":
if(!empty($param_value)) {
$pass = $param_value;
}
break;
case "accept":
if(!empty($param_value)) {
$accept = $param_value;
}
break;
case "header":
if(!empty($param_value)) {
if(!preg_match('![\w\d-]+: .+!',$param_value)) {
trigger_error("[plugin] invalid header format '".$param_value."'",E_USER_NOTICE);
return;
} else {
$extra_headers[] = $param_value;
}
}
break;
case "proxy_host":
if(!empty($param_value)) {
$proxy_host = $param_value;
}
break;
case "proxy_port":
if(!preg_match('!\D!', $param_value)) {
$proxy_port = (int) $param_value;
} else {
trigger_error("[plugin] invalid value for attribute '".$param_key."'",E_USER_NOTICE);
return;
}
break;
case "agent":
if(!empty($param_value)) {
$agent = $param_value;
}
break;
case "referer":
if(!empty($param_value)) {
$referer = $param_value;
}
break;
case "timeout":
if(!preg_match('!\D!', $param_value)) {
$timeout = (int) $param_value;
} else {
trigger_error("[plugin] invalid value for attribute '".$param_key."'",E_USER_NOTICE);
return;
}
break;
default:
trigger_error("[plugin] unrecognized attribute '".$param_key."'",E_USER_NOTICE);
return;
}
}
if(!empty($proxy_host) && !empty($proxy_port)) {
$_is_proxy = true;
$fp = fsockopen($proxy_host,$proxy_port,$errno,$errstr,$timeout);
} else {
$fp = fsockopen($server_name,$port,$errno,$errstr,$timeout);
}
if(!$fp) {
trigger_error("[plugin] unable to fetch: $errstr ($errno)",E_USER_NOTICE);
return;
} else {
if($_is_proxy) {
fputs($fp, 'GET ' . $params['file'] . " HTTP/1.0\r\n");
} else {
fputs($fp, "GET $uri HTTP/1.0\r\n");
}
if(!empty($host)) {
fputs($fp, "Host: $host\r\n");
}
if(!empty($accept)) {
fputs($fp, "Accept: $accept\r\n");
}
if(!empty($agent)) {
fputs($fp, "User-Agent: $agent\r\n");
}
if(!empty($referer)) {
fputs($fp, "Referer: $referer\r\n");
}
if(isset($extra_headers) && is_array($extra_headers)) {
foreach($extra_headers as $curr_header) {
fputs($fp, $curr_header."\r\n");
}
}
if(!empty($user) && !empty($pass)) {
fputs($fp, "Authorization: BASIC ".base64_encode("$user:$pass")."\r\n");
}
fputs($fp, "\r\n");
while(!feof($fp)) {
$content .= fgets($fp,4096);
}
fclose($fp);
$csplit = preg_split("!\r\n\r\n!",$content,2);
$content = $csplit[1];
if(!empty($params['assign_headers'])) {
$template->assign($params['assign_headers'],preg_split("!\r\n!",$csplit[0]));
}
}
} else {
trigger_error("[plugin fetch] unable to parse URL, check syntax",E_USER_NOTICE);
return;
}
} else {
// ftp fetch
if($fp = @fopen($params['file'],'r')) {
while(!feof($fp)) {
$content .= fgets ($fp,4096);
}
fclose($fp);
} else {
trigger_error('[plugin] fetch cannot read file \'' . $params['file'] .'\'',E_USER_NOTICE);
return;
}
$content = @file_get_contents($params['file']);
if ($content === false) {
throw new SmartyException("{fetch} cannot read resource '" . $params['file'] ."'");
}
}
if (!empty($params['assign'])) {
$template->assign($params['assign'],$content);
$template->assign($params['assign'], $content);
} else {
return $content;
}

43
libs/plugins/function.html_image.php
View File

@@ -46,8 +46,7 @@ function smarty_function_html_image($params, $template)
$prefix = '';
$suffix = '';
$path_prefix = '';
$server_vars = $_SERVER;
$basedir = isset($server_vars['DOCUMENT_ROOT']) ? $server_vars['DOCUMENT_ROOT'] : '';
$basedir = isset($_SERVER['DOCUMENT_ROOT']) ? $_SERVER['DOCUMENT_ROOT'] : '';
foreach($params as $_key => $_val) {
switch ($_key) {
case 'file':
@@ -88,13 +87,38 @@ function smarty_function_html_image($params, $template)
return;
}
if (substr($file, 0, 1) == '/') {
if ($file[0] == '/') {
$_image_path = $basedir . $file;
} else {
$_image_path = $file;
}
}
// strip file protocol
if (stripos($params['file'], 'file://') === 0) {
$params['file'] = substr($params['file'], 7);
}
$protocol = strpos($params['file'], '://');
if ($protocol !== false) {
$protocol = strtolower(substr($params['file'], 0, $protocol));
}
if (isset($template->smarty->security_policy)) {
if ($protocol) {
// remote resource (or php stream, …)
if(!$template->smarty->security_policy->isTrustedUri($params['file'])) {
return;
}
} else {
// local file
if(!$template->smarty->security_policy->isTrustedResourceDir($params['file'])) {
return;
}
}
}
if (!isset($params['width']) || !isset($params['height'])) {
// FIXME: (rodneyrehm) getimagesize() loads the complete file off a remote resource, use custom [jpg,png,gif]header reader!
if (!$_image_data = @getimagesize($_image_path)) {
if (!file_exists($_image_path)) {
trigger_error("html_image: unable to find '$_image_path'", E_USER_NOTICE);
@@ -106,12 +130,7 @@ function smarty_function_html_image($params, $template)
trigger_error("html_image: '$_image_path' is not a valid image file", E_USER_NOTICE);
return;
}
}
if (isset($template->smarty->security_policy)) {
if (!$template->smarty->security_policy->isTrustedResourceDir($_image_path)) {
return;
}
}
}
if (!isset($params['width'])) {
$width = $_image_data[0];
@@ -122,7 +141,9 @@ function smarty_function_html_image($params, $template)
}
if (isset($params['dpi'])) {
if (strstr($server_vars['HTTP_USER_AGENT'], 'Mac')) {
if (strstr($_SERVER['HTTP_USER_AGENT'], 'Mac')) {
// FIXME: (rodneyrehm) wrong dpi assumption
// don't know who thought this up… even if it was true in 1998, it's definitely wrong in 2011.
$dpi_default = 72;
} else {
$dpi_default = 96;