From 396d7aa8a5f7b584a5a1370f45c2ba3d4cde5039 Mon Sep 17 00:00:00 2001
From: "Uwe.Tews" <uwe.tews@localhost>
Date: Wed, 7 Jul 2010 22:08:10 +0000
Subject: [PATCH] - bugfix support of script files relative to trusted_dir

---
 change_log.txt                                |  1 +
 libs/Smarty.class.php                         |  1 +
 libs/plugins/modifier.truncate.php            |  2 +-
 .../smarty_internal_compile_insert.php        | 44 ++++++++++++++-----
 4 files changed, 37 insertions(+), 11 deletions(-)

diff --git a/change_log.txt b/change_log.txt
index eb9ae648..37aaa80c 100644
--- a/change_log.txt
+++ b/change_log.txt
@@ -1,5 +1,6 @@
 07/07/2010
 - bugfix the truncate modifier needs to check if the string is utf-8 encoded or not
+- bugfix support of script files relative to trusted_dir
 
 06/07/2010
 - create exception on recursive {extends} calls
diff --git a/libs/Smarty.class.php b/libs/Smarty.class.php
index e6b41971..c267d8bf 100644
--- a/libs/Smarty.class.php
+++ b/libs/Smarty.class.php
@@ -159,6 +159,7 @@ class Smarty extends Smarty_Internal_Data {
     public $security_policy = null;
     public $security_handler = null;
     public $direct_access_security = true; 
+    public $trusted_dir = array();
     // debug mode
     public $debugging = false;
     public $debugging_ctrl = 'NONE';
diff --git a/libs/plugins/modifier.truncate.php b/libs/plugins/modifier.truncate.php
index af963074..ead4ec5b 100644
--- a/libs/plugins/modifier.truncate.php
+++ b/libs/plugins/modifier.truncate.php
@@ -48,7 +48,7 @@ function smarty_modifier_truncate($string, $length = 80, $etc = '...',
             } 
         } 
     } 
-    // $string has utf-8 no encoding
+    // $string has no utf-8 encoding
     if (strlen($string) > $length) {
         $length -= min($length, strlen($etc));
         if (!$break_words && !$middle) {
diff --git a/libs/sysplugins/smarty_internal_compile_insert.php b/libs/sysplugins/smarty_internal_compile_insert.php
index d90a9f29..ae491002 100644
--- a/libs/sysplugins/smarty_internal_compile_insert.php
+++ b/libs/sysplugins/smarty_internal_compile_insert.php
@@ -35,7 +35,6 @@ class Smarty_Internal_Compile_Insert extends Smarty_Internal_CompileBase {
         $_output = '<?php '; 
         // save posible attributes
         eval('$_name = ' . $_attr['name'] . ';');
-        $_function = "insert_{$_name}";
         if (isset($_attr['assign'])) {
             // output will be stored in a smarty variable instead of beind displayed
             $_assign = $_attr['assign']; 
@@ -44,22 +43,47 @@ class Smarty_Internal_Compile_Insert extends Smarty_Internal_CompileBase {
         } 
         if (isset($_attr['script'])) {
             // script which must be included
+            $_function = "smarty_insert_{$_name}";
             $_smarty_tpl = $compiler->template;
+            $_filepath = false;
             eval('$_script = ' . $_attr['script'] . ';');
-            if (!file_exists($_script)) {
-                $this->compiler->trigger_template_error("{insert} missing script file '{$_script}'");
+            if (!$this->compiler->smarty->security && file_exists($_script)) {
+                $_filepath = $_script;
+            } else {
+                if ($this->compiler->smarty->security) {
+                    $_dir = $this->compiler->smarty->security_policy->trusted_dir;
+                } else {
+                    $_dir = $this->compiler->smarty->trusted_dir;
+                } 
+                if (!empty($_dir)) {
+                    foreach((array)$_dir as $_script_dir) {
+                        if (strpos('/\\', substr($_script_dir, -1)) === false) {
+                            $_script_dir .= DS;
+                        } 
+                        if (file_exists($_script_dir . $_script)) {
+                            $_filepath = $_script_dir . $_script;
+                            break;
+                        } 
+                    } 
+                } 
+            } 
+            if ($_filepath == false) {
+                $this->compiler->trigger_template_error("{insert} missing script file '{$_script}'", $this->compiler->lex->taglineno);
             } 
             // code for script file loading
-            $_output .= "require_once '{$_script}' ;";
-            require_once $_script;
+            $_output .= "require_once '{$_filepath}' ;";
+            require_once $_filepath;
             if (!is_callable($_function)) {
-                $this->compiler->trigger_template_error(" {insert} function '{$_name}' is not callable");
+                $this->compiler->trigger_template_error(" {insert} function '{$_function}' is not callable in script file '{$_script}'", $this->compiler->lex->taglineno);
             } 
         } else {
-	$_script = 'null';
+            $_filepath = 'null';
+            $_function = "insert_{$_name}"; 
+            // function in PHP script ?
             if (!is_callable($_function)) {
+                // try plugin
                 if (!$_function = $this->compiler->getPlugin($_name, 'insert')) {
-                    $this->compiler->trigger_template_error("{insert} no function or plugin found for '{$_name}'");
+                    $this->compiler->trigger_template_error("{insert} no function or plugin found for '{$_name}'", $this->compiler->lex->taglineno);
                 } 
             } 
         } 
@@ -74,14 +98,14 @@ class Smarty_Internal_Compile_Insert extends Smarty_Internal_CompileBase {
         // call insert
         if (isset($_assign)) {
             if ($_smarty_tpl->caching) {
-                $_output .= "echo Smarty_Internal_Nocache_Insert::compile ('{$_function}',{$_params}, \$_smarty_tpl, '{$_script}',{$_assign});?>";
+                $_output .= "echo Smarty_Internal_Nocache_Insert::compile ('{$_function}',{$_params}, \$_smarty_tpl, '{$_filepath}',{$_assign});?>";
             } else {
                 $_output .= "\$_smarty_tpl->assign({$_assign} , {$_function} ({$_params},\$_smarty_tpl->smarty,\$_smarty_tpl), true);?>";
             } 
         } else {
             $this->compiler->has_output = true;
             if ($_smarty_tpl->caching) {
-                $_output .= "echo Smarty_Internal_Nocache_Insert::compile ('{$_function}',{$_params}, \$_smarty_tpl, '{$_script}');?>";
+                $_output .= "echo Smarty_Internal_Nocache_Insert::compile ('{$_function}',{$_params}, \$_smarty_tpl, '{$_filepath}');?>";
             } else {
                 $_output .= "echo {$_function}({$_params},\$_smarty_tpl->smarty,\$_smarty_tpl);?>";
             }