- bugfix support of script files relative to trusted_dir

2025-08-06 03:14:27 +02:00 · 2010-07-07 22:08:10 +00:00
parent c8f22fe247
commit 396d7aa8a5
4 changed files with 37 additions and 11 deletions
--- a/change_log.txt
+++ b/change_log.txt
@@ -1,5 +1,6 @@
 07/07/2010
 - bugfix the truncate modifier needs to check if the string is utf-8 encoded or not
+- bugfix support of script files relative to trusted_dir

 06/07/2010
 - create exception on recursive {extends} calls
--- a/libs/Smarty.class.php
+++ b/libs/Smarty.class.php
@@ -159,6 +159,7 @@ class Smarty extends Smarty_Internal_Data {
    public $security_policy = null;
    public $security_handler = null;
    public $direct_access_security = true; 
+    public $trusted_dir = array();
    // debug mode
    public $debugging = false;
    public $debugging_ctrl = 'NONE';
--- a/libs/plugins/modifier.truncate.php
+++ b/libs/plugins/modifier.truncate.php
@@ -48,7 +48,7 @@ function smarty_modifier_truncate($string, $length = 80, $etc = '...',
            } 
        } 
    } 
-    // $string has utf-8 no encoding
+    // $string has no utf-8 encoding
    if (strlen($string) > $length) {
        $length -= min($length, strlen($etc));
        if (!$break_words && !$middle) {
--- a/libs/sysplugins/smarty_internal_compile_insert.php
+++ b/libs/sysplugins/smarty_internal_compile_insert.php
@@ -35,7 +35,6 @@ class Smarty_Internal_Compile_Insert extends Smarty_Internal_CompileBase {
        $_output = '<?php '; 
        // save posible attributes
        eval('$_name = ' . $_attr['name'] . ';');
-        $_function = "insert_{$_name}";
        if (isset($_attr['assign'])) {
            // output will be stored in a smarty variable instead of beind displayed
            $_assign = $_attr['assign']; 
@@ -44,22 +43,47 @@ class Smarty_Internal_Compile_Insert extends Smarty_Internal_CompileBase {
        } 
        if (isset($_attr['script'])) {
            // script which must be included
+            $_function = "smarty_insert_{$_name}";
            $_smarty_tpl = $compiler->template;
+            $_filepath = false;
            eval('$_script = ' . $_attr['script'] . ';');
-            if (!file_exists($_script)) {
-                $this->compiler->trigger_template_error("{insert} missing script file '{$_script}'");
+            if (!$this->compiler->smarty->security && file_exists($_script)) {
+                $_filepath = $_script;
+            } else {
+                if ($this->compiler->smarty->security) {
+                    $_dir = $this->compiler->smarty->security_policy->trusted_dir;
+                } else {
+                    $_dir = $this->compiler->smarty->trusted_dir;
+                } 
+                if (!empty($_dir)) {
+                    foreach((array)$_dir as $_script_dir) {
+                        if (strpos('/\\', substr($_script_dir, -1)) === false) {
+                            $_script_dir .= DS;
+                        } 
+                        if (file_exists($_script_dir . $_script)) {
+                            $_filepath = $_script_dir . $_script;
+                            break;
+                        } 
+                    } 
+                } 
+            } 
+            if ($_filepath == false) {
+                $this->compiler->trigger_template_error("{insert} missing script file '{$_script}'", $this->compiler->lex->taglineno);
            } 
            // code for script file loading
-            $_output .= "require_once '{$_script}' ;";
-            require_once $_script;
+            $_output .= "require_once '{$_filepath}' ;";
+            require_once $_filepath;
            if (!is_callable($_function)) {
-                $this->compiler->trigger_template_error(" {insert} function '{$_name}' is not callable");
+                $this->compiler->trigger_template_error(" {insert} function '{$_function}' is not callable in script file '{$_script}'", $this->compiler->lex->taglineno);
            } 
        } else {
-	$_script = 'null';
+            $_filepath = 'null';
+            $_function = "insert_{$_name}"; 
+            // function in PHP script ?
            if (!is_callable($_function)) {
+                // try plugin
                if (!$_function = $this->compiler->getPlugin($_name, 'insert')) {
-                    $this->compiler->trigger_template_error("{insert} no function or plugin found for '{$_name}'");
+                    $this->compiler->trigger_template_error("{insert} no function or plugin found for '{$_name}'", $this->compiler->lex->taglineno);
                } 
            } 
        } 
@@ -74,14 +98,14 @@ class Smarty_Internal_Compile_Insert extends Smarty_Internal_CompileBase {
        // call insert
        if (isset($_assign)) {
            if ($_smarty_tpl->caching) {
-                $_output .= "echo Smarty_Internal_Nocache_Insert::compile ('{$_function}',{$_params}, \$_smarty_tpl, '{$_script}',{$_assign});?>";
+                $_output .= "echo Smarty_Internal_Nocache_Insert::compile ('{$_function}',{$_params}, \$_smarty_tpl, '{$_filepath}',{$_assign});?>";
            } else {
                $_output .= "\$_smarty_tpl->assign({$_assign} , {$_function} ({$_params},\$_smarty_tpl->smarty,\$_smarty_tpl), true);?>";
            } 
        } else {
            $this->compiler->has_output = true;
            if ($_smarty_tpl->caching) {
-                $_output .= "echo Smarty_Internal_Nocache_Insert::compile ('{$_function}',{$_params}, \$_smarty_tpl, '{$_script}');?>";
+                $_output .= "echo Smarty_Internal_Nocache_Insert::compile ('{$_function}',{$_params}, \$_smarty_tpl, '{$_filepath}');?>";
            } else {
                $_output .= "echo {$_function}({$_params},\$_smarty_tpl->smarty,\$_smarty_tpl);?>";
            }