mirror of
https://github.com/smarty-php/smarty.git
synced 2025-08-06 19:34:27 +02:00
disallow writing to super globals from within the template. also add ability to disable super global access with security enabled
This commit is contained in:
monte.ohrt
@@ -236,7 +236,8 @@ class Smarty
|
||||
'INCLUDE_ANY' => false,
|
||||
'PHP_TAGS' => false,
|
||||
'MODIFIER_FUNCS' => array('count'),
|
||||
'ALLOW_CONSTANTS' => false
|
||||
'ALLOW_CONSTANTS' => false,
|
||||
'ALLOW_SUPER_GLOBALS' => true
|
||||
);
|
||||
|
||||
/**
|
||||
@@ -1950,6 +1951,47 @@ class Smarty
|
||||
return $function;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* wrapper for super global access
|
||||
* @return mixed
|
||||
*/
|
||||
function _get_super($type,$name)
|
||||
{
|
||||
// don't display anything if not allowed
|
||||
if($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) {
|
||||
$this->trigger_error('security error: super global access not allowed');
|
||||
return false;
|
||||
}
|
||||
if(empty($type)||empty($name))
|
||||
return null;
|
||||
switch($type) {
|
||||
case 'get':
|
||||
return $this->request_use_auto_globals ? $_GET[$name] : $GLOBALS['HTTP_GET_VARS'][$name];
|
||||
break;
|
||||
case 'post':
|
||||
return $this->request_use_auto_globals ? $_POST[$name] : $GLOBALS['HTTP_POST_VARS'][$name];
|
||||
break;
|
||||
case 'server':
|
||||
return $this->request_use_auto_globals ? $_SERVER[$name] : $GLOBALS['HTTP_SERVER_VARS'][$name];
|
||||
break;
|
||||
case 'session':
|
||||
return $this->request_use_auto_globals ? $_SESSION[$name] : $GLOBALS['HTTP_SESSION_VARS'][$name];
|
||||
break;
|
||||
case 'request':
|
||||
return $this->request_use_auto_globals ? $_REQUEST[$name] : $GLOBALS['HTTP_REQUEST_VARS'][$name];
|
||||
break;
|
||||
case 'cookies':
|
||||
return $this->request_use_auto_globals ? $_COOKIE[$name] : $GLOBALS['HTTP_COOKIE_VARS'][$name];
|
||||
break;
|
||||
case 'env':
|
||||
return $this->request_use_auto_globals ? $_ENV[$name] : $GLOBALS['HTTP_ENV_VARS'][$name];
|
||||
break;
|
||||
default:
|
||||
return null;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/**#@-*/
|
||||
|
||||
|
||||
@@ -2047,27 +2047,39 @@ class Smarty_Compiler extends Smarty {
|
||||
break;
|
||||
|
||||
case 'get':
|
||||
$compiled_ref = ($this->request_use_auto_globals) ? '$_GET' : "\$GLOBALS['HTTP_GET_VARS']";
|
||||
$_ref_val = substr($indexes[1], 1);
|
||||
$compiled_ref = "\$this->_get_super('get','$_ref_val')";
|
||||
array_shift($indexes);
|
||||
break;
|
||||
|
||||
case 'post':
|
||||
$compiled_ref = ($this->request_use_auto_globals) ? '$_POST' : "\$GLOBALS['HTTP_POST_VARS']";
|
||||
$_ref_val = substr($indexes[1], 1);
|
||||
$compiled_ref = "\$this->_get_super('post','$_ref_val')";
|
||||
array_shift($indexes);
|
||||
break;
|
||||
|
||||
case 'cookies':
|
||||
$compiled_ref = ($this->request_use_auto_globals) ? '$_COOKIE' : "\$GLOBALS['HTTP_COOKIE_VARS']";
|
||||
$_ref_val = substr($indexes[1], 1);
|
||||
$compiled_ref = "\$this->_get_super('cookies','$_ref_val')";
|
||||
array_shift($indexes);
|
||||
break;
|
||||
|
||||
case 'env':
|
||||
$compiled_ref = ($this->request_use_auto_globals) ? '$_ENV' : "\$GLOBALS['HTTP_ENV_VARS']";
|
||||
$_ref_val = substr($indexes[1], 1);
|
||||
$compiled_ref = "\$this->_get_super('env','$_ref_val')";
|
||||
array_shift($indexes);
|
||||
break;
|
||||
|
||||
case 'server':
|
||||
$compiled_ref = ($this->request_use_auto_globals) ? '$_SERVER' : "\$GLOBALS['HTTP_SERVER_VARS']";
|
||||
$_ref_val = substr($indexes[1], 1);
|
||||
$compiled_ref = "\$this->_get_super('server','$_ref_val')";
|
||||
array_shift($indexes);
|
||||
break;
|
||||
|
||||
case 'session':
|
||||
$compiled_ref = ($this->request_use_auto_globals) ? '$_SESSION' : "\$GLOBALS['HTTP_SESSION_VARS']";
|
||||
$_ref_val = substr($indexes[1], 1);
|
||||
$compiled_ref = "\$this->_get_super('session','$_ref_val')";
|
||||
array_shift($indexes);
|
||||
break;
|
||||
|
||||
/*
|
||||
|
||||
Reference in New Issue
Block a user