smarty-php/smarty
1
0
Fork 0
mirror of https://github.com/smarty-php/smarty.git synced 2025-08-07 03:44:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

disallow writing to super globals from within the template. also add ability to disable super global access with security enabled

Browse Source
This commit is contained in:
monte.ohrt
2009-04-30 21:51:19 +00:00
parent e7e01305bd
commit 34cadb491c
2 changed files with 61 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
libs/Smarty.class.php
View File

@@ -236,7 +236,8 @@ class Smarty
'INCLUDE_ANY' => false, 'INCLUDE_ANY' => false,
'PHP_TAGS' => false, 'PHP_TAGS' => false,
'MODIFIER_FUNCS' => array('count'), 'MODIFIER_FUNCS' => array('count'),
'ALLOW_CONSTANTS' => false 'ALLOW_CONSTANTS' => false,
'ALLOW_SUPER_GLOBALS' => true
); );
/** /**
@@ -1951,6 +1952,47 @@ class Smarty
} }
} }
/**
* wrapper for super global access
* @return mixed
*/
function _get_super($type,$name)
{
// don't display anything if not allowed
if($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) {
$this->trigger_error('security error: super global access not allowed');
return false;
}
if(empty($type)||empty($name))
return null;
switch($type) {
case 'get':
return $this->request_use_auto_globals ? $_GET[$name] : $GLOBALS['HTTP_GET_VARS'][$name];
break;
case 'post':
return $this->request_use_auto_globals ? $_POST[$name] : $GLOBALS['HTTP_POST_VARS'][$name];
break;
case 'server':
return $this->request_use_auto_globals ? $_SERVER[$name] : $GLOBALS['HTTP_SERVER_VARS'][$name];
break;
case 'session':
return $this->request_use_auto_globals ? $_SESSION[$name] : $GLOBALS['HTTP_SESSION_VARS'][$name];
break;
case 'request':
return $this->request_use_auto_globals ? $_REQUEST[$name] : $GLOBALS['HTTP_REQUEST_VARS'][$name];
break;
case 'cookies':
return $this->request_use_auto_globals ? $_COOKIE[$name] : $GLOBALS['HTTP_COOKIE_VARS'][$name];
break;
case 'env':
return $this->request_use_auto_globals ? $_ENV[$name] : $GLOBALS['HTTP_ENV_VARS'][$name];
break;
default:
return null;
break;
}
}
/**#@-*/ /**#@-*/
} }

24
libs/Smarty_Compiler.class.php
View File

@@ -2047,27 +2047,39 @@ class Smarty_Compiler extends Smarty {
break; break;
case 'get': case 'get':
$compiled_ref = ($this->request_use_auto_globals) ? '$_GET' : "\$GLOBALS['HTTP_GET_VARS']"; $_ref_val = substr($indexes[1], 1);
$compiled_ref = "\$this->_get_super('get','$_ref_val')";
array_shift($indexes);
break; break;
case 'post': case 'post':
$compiled_ref = ($this->request_use_auto_globals) ? '$_POST' : "\$GLOBALS['HTTP_POST_VARS']"; $_ref_val = substr($indexes[1], 1);
$compiled_ref = "\$this->_get_super('post','$_ref_val')";
array_shift($indexes);
break; break;
case 'cookies': case 'cookies':
$compiled_ref = ($this->request_use_auto_globals) ? '$_COOKIE' : "\$GLOBALS['HTTP_COOKIE_VARS']"; $_ref_val = substr($indexes[1], 1);
$compiled_ref = "\$this->_get_super('cookies','$_ref_val')";
array_shift($indexes);
break; break;
case 'env': case 'env':
$compiled_ref = ($this->request_use_auto_globals) ? '$_ENV' : "\$GLOBALS['HTTP_ENV_VARS']"; $_ref_val = substr($indexes[1], 1);
$compiled_ref = "\$this->_get_super('env','$_ref_val')";
array_shift($indexes);
break; break;
case 'server': case 'server':
$compiled_ref = ($this->request_use_auto_globals) ? '$_SERVER' : "\$GLOBALS['HTTP_SERVER_VARS']"; $_ref_val = substr($indexes[1], 1);
$compiled_ref = "\$this->_get_super('server','$_ref_val')";
array_shift($indexes);
break; break;
case 'session': case 'session':
$compiled_ref = ($this->request_use_auto_globals) ? '$_SESSION' : "\$GLOBALS['HTTP_SESSION_VARS']"; $_ref_val = substr($indexes[1], 1);
$compiled_ref = "\$this->_get_super('session','$_ref_val')";
array_shift($indexes);
break; break;
/* /*