From 33adc4573ea7eba04b8e973ce635c918e3241842 Mon Sep 17 00:00:00 2001
From: messju <messju@localhost>
Date: Fri, 10 Sep 2004 19:15:01 +0000
Subject: [PATCH] added $smarty->security_settings['ALLOW_CONSTANTS'] including
 test-cases for them

---
 NEWS                           |  4 +++
 libs/Smarty.class.php          |  3 +-
 libs/Smarty_Compiler.class.php |  5 ++++
 unit_test/test_cases.php       | 52 ++++++++++++++++++++++++++++++++--
 4 files changed, 60 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index 338393d4..fe5be220 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,7 @@
+  - add $smarty->security_settings['ALLOW_CONSTANTS']. note: this
+    defaults to false which means you have to allow them explicitely
+    in your secured templates from now on! (messju)
+
 Version 2.6.4 (Sept 7, 2004)
 ----------------------------
 
diff --git a/libs/Smarty.class.php b/libs/Smarty.class.php
index f7e92f15..6a909300 100644
--- a/libs/Smarty.class.php
+++ b/libs/Smarty.class.php
@@ -231,7 +231,8 @@ class Smarty
                                                                'true','false'),
                                     'INCLUDE_ANY'     => false,
                                     'PHP_TAGS'        => false,
-                                    'MODIFIER_FUNCS'  => array('count')
+                                    'MODIFIER_FUNCS'  => array('count'),
+                                    'ALLOW_CONSTANTS'  => false
                                    );
 
     /**
diff --git a/libs/Smarty_Compiler.class.php b/libs/Smarty_Compiler.class.php
index 573819bb..73fd15f0 100644
--- a/libs/Smarty_Compiler.class.php
+++ b/libs/Smarty_Compiler.class.php
@@ -2030,6 +2030,11 @@ class Smarty_Compiler extends Smarty {
                 break;
 
             case 'const':
+                if ($this->security && !$this->security_settings['ALLOW_CONSTANTS']) {
+                    $this->_syntax_error("(secure mode) constants not permitted",
+                                         E_USER_WARNING, __FILE__, __LINE__);
+                    return;
+                }
                 array_shift($indexes);
                 $_val = $this->_parse_var_props(substr($indexes[0],1));
                 $compiled_ref = '@constant(' . $_val . ')';
diff --git a/unit_test/test_cases.php b/unit_test/test_cases.php
index f74facaf..3a785656 100644
--- a/unit_test/test_cases.php
+++ b/unit_test/test_cases.php
@@ -14,13 +14,17 @@ class Obj {
 }
 
     
-class SmartyTest extends PHPUnit_TestCase {
+class SmartyTest extends PHPUnit_TestCase {   
     // contains the object handle of the string class
     var $abc;
+    // contains the last triggered error's errorlevel
+    var $errorlevel;
+
     // constructor of the test suite
     function SmartyTest($name) {
        $this->PHPUnit_TestCase($name);
     }
+
     // called before the test functions will be executed    
     // this function is defined in PHPUnit_TestCase and overwritten 
     // here
@@ -37,6 +41,11 @@ class SmartyTest extends PHPUnit_TestCase {
         unset($this->smarty);
     }
     
+    // dummy errorhandler for functions that are supposed to call trigger_error()
+    function error_handler($errorlevel) {
+        if ($errorlevel) $this->errorlevel = $errorlevel;
+    }
+
     /* DIRECTORY TESTS */
     
     // test that template_dir exists
@@ -214,6 +223,11 @@ class SmartyTest extends PHPUnit_TestCase {
     function test_get_plugin_filepath() {
         $this->assertTrue(method_exists($this->smarty, '_get_plugin_filepath'));
     }
+
+    
+    function test_clear_compiled_tpl() {
+        $this->assertTrue($this->smarty->clear_compiled_tpl());
+    }
     
     /* DISPLAY TESTS */
     
@@ -371,7 +385,39 @@ foo:foo:b',   $this->smarty->fetch('assign_obj.tpl'));
         $this->smarty->security = $security;
 
     }
-    
-  }
+
+    // test constants and security
+    function test_core_is_secure_function_smarty_var_const() {
+        define('TEST_CONSTANT', 'test constant');
+        $this->assertEquals('test constant', $this->smarty->fetch('constant.tpl',
+                                                             null, 'var_const'));
+    }
+
+    function test_core_is_secure_function_smarty_var_const_allowed() {
+        $security = $this->smarty->security;
+        $security_settings = $this->smarty->security_settings;
+        $this->smarty->security_settings['ALLOW_CONSTANTS'] = true;
+        $this->smarty->security = true;
+        $this->assertEquals('test constant', $this->smarty->fetch('constant.tpl',
+                                                     null, 'var_const_allowed'));
+        $this->smarty->security_settings = $security_settings;
+        $this->smarty->security = $security;   
+    }
+
+    function test_core_is_secure_function_smarty_var_const_not_allowed() {
+        $security = $this->smarty->security;
+        $this->smarty->security = true;
+        /* save old error_handler */
+        $this->errorlevel = null;
+        $error_handler = set_error_handler(array(&$this, 'error_handler'));
+        $this->smarty->fetch('constant.tpl', null, 'var_const_not_allowed');
+        /* restore old error_handler */
+        if ($error_handler) set_error_handler($error_handler);
+
+        $this->assertEquals( $this->errorlevel, E_USER_WARNING);
+        $this->smarty->security = $security;
+    }
+
+}
 
 ?>