smarty-php/smarty
1
0
Fork 0
mirror of https://github.com/smarty-php/smarty.git synced 2025-08-05 02:44:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

added $smarty->security_settings['ALLOW_CONSTANTS']

Browse Source 
including test-cases for them
This commit is contained in:
messju
2004-09-10 19:15:01 +00:00
parent 54e0324cb2
commit 33adc4573e
4 changed files with 60 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
NEWS
View File

@@ -1,3 +1,7 @@
- add $smarty->security_settings['ALLOW_CONSTANTS']. note: this
defaults to false which means you have to allow them explicitely
in your secured templates from now on! (messju)
Version 2.6.4 (Sept 7, 2004)
----------------------------

3
libs/Smarty.class.php
View File

@@ -231,7 +231,8 @@ class Smarty
'true','false'),
'INCLUDE_ANY' => false,
'PHP_TAGS' => false,
'MODIFIER_FUNCS' => array('count')
'MODIFIER_FUNCS' => array('count'),
'ALLOW_CONSTANTS' => false
);
/**

5
libs/Smarty_Compiler.class.php
View File

@@ -2030,6 +2030,11 @@ class Smarty_Compiler extends Smarty {
break;
case 'const':
if ($this->security && !$this->security_settings['ALLOW_CONSTANTS']) {
$this->_syntax_error("(secure mode) constants not permitted",
E_USER_WARNING, __FILE__, __LINE__);
return;
}
array_shift($indexes);
$_val = $this->_parse_var_props(substr($indexes[0],1));
$compiled_ref = '@constant(' . $_val . ')';

48
unit_test/test_cases.php
View File

@@ -17,10 +17,14 @@ class Obj {
class SmartyTest extends PHPUnit_TestCase {
// contains the object handle of the string class
var $abc;
// contains the last triggered error's errorlevel
var $errorlevel;
// constructor of the test suite
function SmartyTest($name) {
$this->PHPUnit_TestCase($name);
}
// called before the test functions will be executed
// this function is defined in PHPUnit_TestCase and overwritten
// here
@@ -37,6 +41,11 @@ class SmartyTest extends PHPUnit_TestCase {
unset($this->smarty);
}
// dummy errorhandler for functions that are supposed to call trigger_error()
function error_handler($errorlevel) {
if ($errorlevel) $this->errorlevel = $errorlevel;
}
/* DIRECTORY TESTS */
// test that template_dir exists
@@ -215,6 +224,11 @@ class SmartyTest extends PHPUnit_TestCase {
$this->assertTrue(method_exists($this->smarty, '_get_plugin_filepath'));
}
function test_clear_compiled_tpl() {
$this->assertTrue($this->smarty->clear_compiled_tpl());
}
/* DISPLAY TESTS */
// test that display() executes properly
@@ -372,6 +386,38 @@ foo:foo:b', $this->smarty->fetch('assign_obj.tpl'));
}
}
// test constants and security
function test_core_is_secure_function_smarty_var_const() {
define('TEST_CONSTANT', 'test constant');
$this->assertEquals('test constant', $this->smarty->fetch('constant.tpl',
null, 'var_const'));
}
function test_core_is_secure_function_smarty_var_const_allowed() {
$security = $this->smarty->security;
$security_settings = $this->smarty->security_settings;
$this->smarty->security_settings['ALLOW_CONSTANTS'] = true;
$this->smarty->security = true;
$this->assertEquals('test constant', $this->smarty->fetch('constant.tpl',
null, 'var_const_allowed'));
$this->smarty->security_settings = $security_settings;
$this->smarty->security = $security;
}
function test_core_is_secure_function_smarty_var_const_not_allowed() {
$security = $this->smarty->security;
$this->smarty->security = true;
/* save old error_handler */
$this->errorlevel = null;
$error_handler = set_error_handler(array(&$this, 'error_handler'));
$this->smarty->fetch('constant.tpl', null, 'var_const_not_allowed');
/* restore old error_handler */
if ($error_handler) set_error_handler($error_handler);
$this->assertEquals( $this->errorlevel, E_USER_WARNING);
$this->smarty->security = $security;
}
}
?>