mirror of
https://github.com/smarty-php/smarty.git
synced 2025-08-05 10:54:27 +02:00
added $smarty->security_settings['ALLOW_CONSTANTS']
including test-cases for them
This commit is contained in:
messju
4
NEWS
4
NEWS
@@ -1,3 +1,7 @@
|
|||||||
|
- add $smarty->security_settings['ALLOW_CONSTANTS']. note: this
|
||||||
|
defaults to false which means you have to allow them explicitely
|
||||||
|
in your secured templates from now on! (messju)
|
||||||
|
|
||||||
Version 2.6.4 (Sept 7, 2004)
|
Version 2.6.4 (Sept 7, 2004)
|
||||||
----------------------------
|
----------------------------
|
||||||
|
|
||||||
|
|||||||
@@ -231,7 +231,8 @@ class Smarty
|
|||||||
'true','false'),
|
'true','false'),
|
||||||
'INCLUDE_ANY' => false,
|
'INCLUDE_ANY' => false,
|
||||||
'PHP_TAGS' => false,
|
'PHP_TAGS' => false,
|
||||||
'MODIFIER_FUNCS' => array('count')
|
'MODIFIER_FUNCS' => array('count'),
|
||||||
|
'ALLOW_CONSTANTS' => false
|
||||||
);
|
);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
@@ -2030,6 +2030,11 @@ class Smarty_Compiler extends Smarty {
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case 'const':
|
case 'const':
|
||||||
|
if ($this->security && !$this->security_settings['ALLOW_CONSTANTS']) {
|
||||||
|
$this->_syntax_error("(secure mode) constants not permitted",
|
||||||
|
E_USER_WARNING, __FILE__, __LINE__);
|
||||||
|
return;
|
||||||
|
}
|
||||||
array_shift($indexes);
|
array_shift($indexes);
|
||||||
$_val = $this->_parse_var_props(substr($indexes[0],1));
|
$_val = $this->_parse_var_props(substr($indexes[0],1));
|
||||||
$compiled_ref = '@constant(' . $_val . ')';
|
$compiled_ref = '@constant(' . $_val . ')';
|
||||||
|
|||||||
@@ -17,10 +17,14 @@ class Obj {
|
|||||||
class SmartyTest extends PHPUnit_TestCase {
|
class SmartyTest extends PHPUnit_TestCase {
|
||||||
// contains the object handle of the string class
|
// contains the object handle of the string class
|
||||||
var $abc;
|
var $abc;
|
||||||
|
// contains the last triggered error's errorlevel
|
||||||
|
var $errorlevel;
|
||||||
|
|
||||||
// constructor of the test suite
|
// constructor of the test suite
|
||||||
function SmartyTest($name) {
|
function SmartyTest($name) {
|
||||||
$this->PHPUnit_TestCase($name);
|
$this->PHPUnit_TestCase($name);
|
||||||
}
|
}
|
||||||
|
|
||||||
// called before the test functions will be executed
|
// called before the test functions will be executed
|
||||||
// this function is defined in PHPUnit_TestCase and overwritten
|
// this function is defined in PHPUnit_TestCase and overwritten
|
||||||
// here
|
// here
|
||||||
@@ -37,6 +41,11 @@ class SmartyTest extends PHPUnit_TestCase {
|
|||||||
unset($this->smarty);
|
unset($this->smarty);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// dummy errorhandler for functions that are supposed to call trigger_error()
|
||||||
|
function error_handler($errorlevel) {
|
||||||
|
if ($errorlevel) $this->errorlevel = $errorlevel;
|
||||||
|
}
|
||||||
|
|
||||||
/* DIRECTORY TESTS */
|
/* DIRECTORY TESTS */
|
||||||
|
|
||||||
// test that template_dir exists
|
// test that template_dir exists
|
||||||
@@ -215,6 +224,11 @@ class SmartyTest extends PHPUnit_TestCase {
|
|||||||
$this->assertTrue(method_exists($this->smarty, '_get_plugin_filepath'));
|
$this->assertTrue(method_exists($this->smarty, '_get_plugin_filepath'));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
function test_clear_compiled_tpl() {
|
||||||
|
$this->assertTrue($this->smarty->clear_compiled_tpl());
|
||||||
|
}
|
||||||
|
|
||||||
/* DISPLAY TESTS */
|
/* DISPLAY TESTS */
|
||||||
|
|
||||||
// test that display() executes properly
|
// test that display() executes properly
|
||||||
@@ -372,6 +386,38 @@ foo:foo:b', $this->smarty->fetch('assign_obj.tpl'));
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// test constants and security
|
||||||
|
function test_core_is_secure_function_smarty_var_const() {
|
||||||
|
define('TEST_CONSTANT', 'test constant');
|
||||||
|
$this->assertEquals('test constant', $this->smarty->fetch('constant.tpl',
|
||||||
|
null, 'var_const'));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function test_core_is_secure_function_smarty_var_const_allowed() {
|
||||||
|
$security = $this->smarty->security;
|
||||||
|
$security_settings = $this->smarty->security_settings;
|
||||||
|
$this->smarty->security_settings['ALLOW_CONSTANTS'] = true;
|
||||||
|
$this->smarty->security = true;
|
||||||
|
$this->assertEquals('test constant', $this->smarty->fetch('constant.tpl',
|
||||||
|
null, 'var_const_allowed'));
|
||||||
|
$this->smarty->security_settings = $security_settings;
|
||||||
|
$this->smarty->security = $security;
|
||||||
|
}
|
||||||
|
|
||||||
|
function test_core_is_secure_function_smarty_var_const_not_allowed() {
|
||||||
|
$security = $this->smarty->security;
|
||||||
|
$this->smarty->security = true;
|
||||||
|
/* save old error_handler */
|
||||||
|
$this->errorlevel = null;
|
||||||
|
$error_handler = set_error_handler(array(&$this, 'error_handler'));
|
||||||
|
$this->smarty->fetch('constant.tpl', null, 'var_const_not_allowed');
|
||||||
|
/* restore old error_handler */
|
||||||
|
if ($error_handler) set_error_handler($error_handler);
|
||||||
|
|
||||||
|
$this->assertEquals( $this->errorlevel, E_USER_WARNING);
|
||||||
|
$this->smarty->security = $security;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
|||||||
Reference in New Issue
Block a user