smarty-php/smarty
1
0
Fork 0
mirror of https://github.com/smarty-php/smarty.git synced 2025-07-30 07:57:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Using PHP functions as modifiers now triggers a deprecation notice (#814)

Browse Source 
Fixes #813
This commit is contained in:
Simon Wisselink
2022-09-23 00:09:00 +02:00
committed by GitHub
parent 4fc39d59a5
commit 4550fc0339
20 changed files with 299 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Changed
- Include docs and demo in the releases [#799](https://github.com/smarty-php/smarty/issues/799)
- Using PHP functions as modifiers now triggers a deprecation notice because we will drop support for this in the next major release [#813](https://github.com/smarty-php/smarty/issues/813)
### Fixed
- Output buffer is now cleaned for internal PHP errors as well, not just for Exceptions [#514](https://github.com/smarty-php/smarty/issues/514)

36
libs/plugins/modifier.count.php Normal file
View File

@ -0,0 +1,36 @@
<?php
/**
* Smarty plugin
*
* @package Smarty
* @subpackage PluginsModifier
*/
/**
* Smarty count modifier plugin
* Type: modifier
* Name: count
* Purpose: counts all elements in an array or in a Countable object
* Input:
* - Countable|array: array or object to count
* - mode: int defaults to 0 for normal count mode, if set to 1 counts recursive
*
* @param mixed $arrayOrObject input array/object
* @param int $mode count mode
*
* @return int
*/
function smarty_modifier_count($arrayOrObject, $mode = 0)
{
/*
* @see https://www.php.net/count
* > Prior to PHP 8.0.0, if the parameter was neither an array nor an object that implements the Countable interface,
* > 1 would be returned, unless value was null, in which case 0 would be returned.
*/
if ($arrayOrObject instanceof Countable || is_array($arrayOrObject)) {
return count($arrayOrObject, (int) $mode);
} elseif ($arrayOrObject === null) {
return 0;
}
return 1;
}

23
libs/plugins/modifiercompiler.nl2br.php Normal file
View File

@ -0,0 +1,23 @@
<?php
/**
* Smarty plugin
*
* @package Smarty
* @subpackage PluginsModifierCompiler
*/
/**
* Smarty nl2br modifier plugin
* Type: modifier
* Name: nl2br
* Purpose: insert HTML line breaks before all newlines in a string
*
* @link https://www.smarty.net/docs/en/language.modifier.nl2br.tpl nl2br (Smarty online manual)
*
* @param array $params parameters
*
* @return string with compiled code
*/
function smarty_modifiercompiler_nl2br($params) {
return 'nl2br((string) ' . $params[0] . ', (bool) ' . ($params[1] ?? true) . ')';
}

23
libs/plugins/modifiercompiler.round.php Normal file
View File

@ -0,0 +1,23 @@
<?php
/**
* Smarty plugin
*
* @package Smarty
* @subpackage PluginsModifierCompiler
*/
/**
* Smarty round modifier plugin
* Type: modifier
* Name: round
* Purpose: Returns the rounded value of num to specified precision (number of digits after the decimal point)
*
* @link https://www.smarty.net/docs/en/language.modifier.round.tpl round (Smarty online manual)
*
* @param array $params parameters
*
* @return string with compiled code
*/
function smarty_modifiercompiler_round($params) {
return 'round((float) ' . $params[0] . ', (int) ' . ($params[1] ?? 0) . ', (int) ' . ($params[2] ?? PHP_ROUND_HALF_UP) . ')';
}

23
libs/plugins/modifiercompiler.str_repeat.php Normal file
View File

@ -0,0 +1,23 @@
<?php
/**
* Smarty plugin
*
* @package Smarty
* @subpackage PluginsModifierCompiler
*/
/**
* Smarty str_repeat modifier plugin
* Type: modifier
* Name: str_repeat
* Purpose: returns string repeated times times
*
* @link https://www.smarty.net/docs/en/language.modifier.str_repeat.tpl str_repeat (Smarty online manual)
*
* @param array $params parameters
*
* @return string with compiled code
*/
function smarty_modifiercompiler_str_repeat($params) {
return 'str_repeat((string) ' . $params[0] . ', (int) ' . $params[1] . ')';
}

23
libs/plugins/modifiercompiler.strlen.php Normal file
View File

@ -0,0 +1,23 @@
<?php
/**
* Smarty plugin
*
* @package Smarty
* @subpackage PluginsModifierCompiler
*/
/**
* Smarty strlen modifier plugin
* Type: modifier
* Name: strlen
* Purpose: return the length of the given string
*
* @link https://www.smarty.net/docs/en/language.modifier.strlen.tpl strlen (Smarty online manual)
*
* @param array $params parameters
*
* @return string with compiled code
*/
function smarty_modifiercompiler_strlen($params) {
return 'strlen((string) ' . $params[0] . ')';
}

3
libs/sysplugins/smarty_internal_compile_private_modifier.php
View File

@ -109,6 +109,9 @@ class Smarty_Internal_Compile_Private_Modifier extends Smarty_Internal_CompileBa
if (!is_object($compiler->smarty->security_policy)
|| $compiler->smarty->security_policy->isTrustedPhpModifier($modifier, $compiler)
) {
trigger_error('Using php-function "' . $modifier . '" as a modifier is deprecated and will be ' .
'removed in a future release. Use Smarty::registerPlugin to explicitly register ' .
'a custom modifier.', E_USER_DEPRECATED);
$output = "{$modifier}({$params})";
}
$compiler->known_modifier_type[ $modifier ] = $type;

4
libs/sysplugins/smarty_security.php
View File

@ -105,7 +105,7 @@ class Smarty_Security
*
* @var array
*/
public $php_modifiers = array('escape', 'count', 'nl2br',);
public $php_modifiers = array('escape', 'count', 'sizeof', 'nl2br',);
/**
* This is an array of allowed tags.
@ -328,7 +328,7 @@ class Smarty_Security
*
* @param string $modifier_name
* @param object $compiler compiler object
*
* @deprecated
* @return boolean true if modifier is trusted
*/
public function isTrustedPhpModifier($modifier_name, $compiler)

19
tests/UnitTests/SecurityTests/SecurityTest.php
View File

@ -52,7 +52,7 @@ class SecurityTest extends PHPUnit_Smarty
*/
public function testTrustedPHPFunction()
{
$this->assertEquals("5", $this->smarty->fetch('string:{assign var=foo value=[1,2,3,4,5]}{count($foo)}'));
$this->assertEquals("5", $this->smarty->fetch('string:{assign var=foo value=[1,2,3,4,5]}{sizeof($foo)}'));
}
/**
@ -63,9 +63,9 @@ class SecurityTest extends PHPUnit_Smarty
public function testNotTrustedPHPFunction()
{
$this->expectException('SmartyException');
$this->expectExceptionMessage('PHP function \'count\' not allowed by security setting');
$this->expectExceptionMessage('PHP function \'sizeof\' not allowed by security setting');
$this->smarty->security_policy->php_functions = array('null');
$this->smarty->fetch('string:{assign var=foo value=[1,2,3,4,5]}{count($foo)}');
$this->smarty->fetch('string:{assign var=foo value=[1,2,3,4,5]}{sizeof($foo)}');
}
/**
@ -75,38 +75,41 @@ class SecurityTest extends PHPUnit_Smarty
{
$this->smarty->security_policy->php_functions = array('null');
$this->smarty->disableSecurity();
$this->assertEquals("5", $this->smarty->fetch('string:{assign var=foo value=[1,2,3,4,5]}{count($foo)}'));
$this->assertEquals("5", $this->smarty->fetch('string:{assign var=foo value=[1,2,3,4,5]}{sizeof($foo)}'));
}
/**
* test trusted modifier
* @deprecated
*/
public function testTrustedModifier()
{
$this->assertEquals("5", $this->smarty->fetch('string:{assign var=foo value=[1,2,3,4,5]}{$foo|@count}'));
$this->assertEquals("5", @$this->smarty->fetch('string:{assign var=foo value=[1,2,3,4,5]}{$foo|@sizeof}'));
}
/**
* test not trusted modifier
* @runInSeparateProcess
* @preserveGlobalState disabled
* @deprecated
*/
public function testNotTrustedModifier()
{
$this->expectException('SmartyException');
$this->expectExceptionMessage('modifier \'count\' not allowed by security setting');
$this->expectExceptionMessage('modifier \'sizeof\' not allowed by security setting');
$this->smarty->security_policy->php_modifiers = array('null');
$this->smarty->fetch('string:{assign var=foo value=[1,2,3,4,5]}{$foo|@count}');
@$this->smarty->fetch('string:{assign var=foo value=[1,2,3,4,5]}{$foo|@sizeof}');
}
/**
* test not trusted modifier at disabled security
* @deprecated
*/
public function testDisabledTrustedModifier()
{
$this->smarty->security_policy->php_modifiers = array('null');
$this->smarty->disableSecurity();
$this->assertEquals("5", $this->smarty->fetch('string:{assign var=foo value=[1,2,3,4,5]}{$foo|@count}'));
@$this->assertEquals("5", $this->smarty->fetch('string:{assign var=foo value=[1,2,3,4,5]}{$foo|@sizeof}'));
}
/**

4
tests/UnitTests/SmartyMethodsTests/RegisterBlock/RegisterBlockTest.php
View File

@ -40,14 +40,14 @@ class RegisterBlockTest extends PHPUnit_Smarty
{
$this->smarty->registerPlugin(Smarty::PLUGIN_BLOCK, 'testblock', 'myblock');
$this->smarty->assign('value', 1);
$this->assertEquals(strtoupper('function hello world 1 1 function hello world 1 2 function hello world 1 3 '), $this->smarty->fetch('eval:{testblock}hello world {$value}{/testblock|strtoupper}'));
$this->assertEquals(strtoupper('function hello world 1 1 function hello world 1 2 function hello world 1 3 '), $this->smarty->fetch('eval:{testblock}hello world {$value}{/testblock|upper}'));
}
public function testRegisterBlockFunctionModifier2()
{
$this->smarty->registerPlugin(Smarty::PLUGIN_BLOCK, 'testblock', 'myblock');
$this->smarty->assign('value', 1);
$this->assertEquals(strtoupper('function hello world 1 1 function hello world 1 2 function hello world 1 3 '), $this->smarty->fetch('eval:{testblock}hello world {$value}{/testblock|default:""|strtoupper}'));
$this->assertEquals(strtoupper('function hello world 1 1 function hello world 1 2 function hello world 1 3 '), $this->smarty->fetch('eval:{testblock}hello world {$value}{/testblock|default:""|upper}'));
}
public function testRegisterBlockFunctionWrapper()

4
tests/UnitTests/SmartyMethodsTests/RegisterObject/CompileRegisteredObjectFunctionTest.php
View File

@ -60,13 +60,13 @@ class CompileRegisteredObjectFunctionTest extends PHPUnit_Smarty
public function testRegisteredObjectBlockFunctionModifier1()
{
$tpl = $this->smarty->createTemplate('eval:{objecttest->myblock}hello world{/objecttest->myblock|strtoupper}');
$tpl = $this->smarty->createTemplate('eval:{objecttest->myblock}hello world{/objecttest->myblock|upper}');
$this->assertEquals(strtoupper('block test'), $this->smarty->fetch($tpl));
}
public function testRegisteredObjectBlockFunctionModifier2()
{
$tpl = $this->smarty->createTemplate('eval:{objecttest->myblock}hello world{/objecttest->myblock|default:""|strtoupper}');
$tpl = $this->smarty->createTemplate('eval:{objecttest->myblock}hello world{/objecttest->myblock|default:""|upper}');
$this->assertEquals(strtoupper('block test'), $this->smarty->fetch($tpl));
}
// TODO

1
tests/UnitTests/TemplateSource/TagTests/Append/CompileAppendTest.php
View File

@ -21,6 +21,7 @@ class CompileAppendTest extends PHPUnit_Smarty
$this->smarty->addPluginsDir("../../../__shared/PHPunitplugins/");
$this->smarty->addTemplateDir("../../../__shared/templates/");
$this->smarty->addTemplateDir("./templates_tmp");
$this->smarty->registerPlugin('modifier', 'var_export', 'var_export');
}
public function testInit()

1
tests/UnitTests/TemplateSource/TagTests/Assign/CompileAssignTest.php
View File

@ -21,6 +21,7 @@ class CompileAssignTest extends PHPUnit_Smarty
$this->smarty->addPluginsDir("../../../__shared/PHPunitplugins/");
$this->smarty->addTemplateDir("../../../__shared/templates/");
$this->smarty->addTemplateDir("./templates_tmp");
$this->smarty->registerPlugin('modifier', 'var_export', 'var_export');
}
public function testInit()

1
tests/UnitTests/TemplateSource/TagTests/If/CompileIfTest.php
View File

@ -21,6 +21,7 @@ class CompileIfTest extends PHPUnit_Smarty
$this->smarty->addPluginsDir("../../../__shared/PHPunitplugins/");
$this->smarty->addTemplateDir("../../../__shared/templates/");
$this->smarty->addTemplateDir("./templates_tmp");
$this->smarty->registerPlugin('modifier', 'var_export', 'var_export');
}
public function testInit()

48
tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierCountTest.php Normal file
View File

@ -0,0 +1,48 @@
<?php
/**
* Smarty PHPunit tests of modifier
*/
/**
* class for modifier tests
*
* @runTestsInSeparateProcess
* @preserveGlobalState disabled
* @backupStaticAttributes enabled
*/
class PluginModifierCountTest extends PHPUnit_Smarty
{
public function setUp(): void
{
$this->setUpSmarty(dirname(__FILE__));
}
public function testArray()
{
$tpl = $this->smarty->createTemplate('string:count:{$v|count}');
$tpl->assign("v", array(1, 2, 3));
$this->assertEquals("count:3", $this->smarty->fetch($tpl));
}
public function testEmptyArray()
{
$tpl = $this->smarty->createTemplate('string:count:{$v|count}');
$tpl->assign("v", array());
$this->assertEquals("count:0", $this->smarty->fetch($tpl));
}
public function testNull()
{
$tpl = $this->smarty->createTemplate('string:count:{$v|count}');
$tpl->assign("v", null);
$this->assertEquals("count:0", $this->smarty->fetch($tpl));
}
public function testString()
{
$tpl = $this->smarty->createTemplate('string:count:{$v|count}');
$tpl->assign("v", "string");
$this->assertEquals("count:1", $this->smarty->fetch($tpl));
}
}

1
tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierExplodeTest.php
View File

@ -14,6 +14,7 @@ class PluginModifierExplodeTest extends \PHPUnit_Smarty
public function setUp(): void
{
$this->setUpSmarty(__DIR__);
$this->smarty->registerPlugin('modifier', 'json_encode', 'json_encode');
}
/**

33
tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierNl2brTest.php Normal file
View File

@ -0,0 +1,33 @@
<?php
/**
* Smarty PHPunit tests of modifier
*/
/**
* class for modifier tests
*
* @runTestsInSeparateProcess
* @preserveGlobalState disabled
* @backupStaticAttributes enabled
*/
class PluginModifierNl2brTest extends PHPUnit_Smarty
{
public function setUp(): void
{
$this->setUpSmarty(dirname(__FILE__));
}
public function testDefault()
{
$tpl = $this->smarty->createTemplate('string:{$v|nl2br}');
$tpl->assign("v", "Line1\nLine2");
$this->assertEquals("Line1<br />\nLine2", $this->smarty->fetch($tpl));
}
public function testNoXHTML()
{
$tpl = $this->smarty->createTemplate('string:{$v|nl2br:false}');
$tpl->assign("v", "Line1\nLine2");
$this->assertEquals("Line1<br>\nLine2", $this->smarty->fetch($tpl));
}
}

33
tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierStrRepeatTest.php Normal file
View File

@ -0,0 +1,33 @@
<?php
/**
* Smarty PHPunit tests of modifier
*/
/**
* class for modifier tests
*
* @runTestsInSeparateProcess
* @preserveGlobalState disabled
* @backupStaticAttributes enabled
*/
class PluginModifierStrRepeatTest extends PHPUnit_Smarty
{
public function setUp(): void
{
$this->setUpSmarty(dirname(__FILE__));
}
public function testDefault()
{
$tpl = $this->smarty->createTemplate('string:{$v|str_repeat:2}');
$tpl->assign("v", "foo");
$this->assertEquals("foofoo", $this->smarty->fetch($tpl));
}
public function testZeroTimes()
{
$tpl = $this->smarty->createTemplate('string:{$v|str_repeat:0}');
$tpl->assign("v", "foo");
$this->assertEquals("", $this->smarty->fetch($tpl));
}
}

61
tests/UnitTests/TemplateSource/ValueTests/Math/MathTest.php
View File

@ -18,6 +18,7 @@ class MathTest extends PHPUnit_Smarty
public function setUp(): void
{
$this->setUpSmarty(dirname(__FILE__));
$this->smarty->registerPlugin('modifier', 'sin', 'sin');
}
public function testInit()
@ -104,7 +105,7 @@ class MathTest extends PHPUnit_Smarty
{
$this->smarty->disableSecurity();
$expected = "22.00 -- 4.10";
$tpl = $this->smarty->createTemplate('eval:{$x = 4}{$y = 5.5}{$z = $x * $y}{"%0.2f"|sprintf:$z} -- {$x = 20.5}{$y = 5}{$z = $x / $y}{"%0.2f"|sprintf:$z}');
$tpl = $this->smarty->createTemplate('eval:{$x = 4}{$y = 5.5}{$z = $x * $y}{$z|string_format:"%0.2f"} -- {$x = 20.5}{$y = 5}{$z = $x / $y}{$z|string_format:"%0.2f"}');
$this->assertEquals($expected, $this->smarty->fetch($tpl));
}
@ -120,7 +121,7 @@ class MathTest extends PHPUnit_Smarty
{
$this->smarty->disableSecurity();
$expected = "22.00 -- 4.10";
$tpl = $this->smarty->createTemplate('eval:{$x = "4"}{$y = "5.5"}{$z = $x * $y}{"%0.2f"|sprintf:$z} -- {$x = "20.5"}{$y = "5"}{$z = $x / $y}{"%0.2f"|sprintf:$z}');
$tpl = $this->smarty->createTemplate('eval:{$x = "4"}{$y = "5.5"}{$z = $x * $y}{$z|string_format:"%0.2f"} -- {$x = "20.5"}{$y = "5"}{$z = $x / $y}{$z|string_format:"%0.2f"}');
$this->assertEquals($expected, $this->smarty->fetch($tpl));
}
@ -132,36 +133,36 @@ class MathTest extends PHPUnit_Smarty
$this->assertEquals($expected, $this->smarty->fetch($tpl));
}
public function testBackticksIllegal()
{
$this->expectException(PHPUnit\Framework\Error\Warning::class);
$expected = "22.00";
$tpl = $this->smarty->createTemplate('eval:{$x = "4"}{$y = "5.5"}{math equation="`ls` x * y" x=$x y=$y}');
$this->assertEquals($expected, $this->smarty->fetch($tpl));
}
public function testBackticksIllegal()
{
$this->expectException(PHPUnit\Framework\Error\Warning::class);
$expected = "22.00";
$tpl = $this->smarty->createTemplate('eval:{$x = "4"}{$y = "5.5"}{math equation="`ls` x * y" x=$x y=$y}');
$this->assertEquals($expected, $this->smarty->fetch($tpl));
}
public function testDollarSignsIllegal()
{
$this->expectException(PHPUnit\Framework\Error\Warning::class);
$expected = "22.00";
$tpl = $this->smarty->createTemplate('eval:{$x = "4"}{$y = "5.5"}{math equation="$" x=$x y=$y}');
$this->assertEquals($expected, $this->smarty->fetch($tpl));
}
public function testDollarSignsIllegal()
{
$this->expectException(PHPUnit\Framework\Error\Warning::class);
$expected = "22.00";
$tpl = $this->smarty->createTemplate('eval:{$x = "4"}{$y = "5.5"}{math equation="$" x=$x y=$y}');
$this->assertEquals($expected, $this->smarty->fetch($tpl));
}
public function testBracketsIllegal()
{
$this->expectException(PHPUnit\Framework\Error\Warning::class);
$expected = "I";
$tpl = $this->smarty->createTemplate('eval:{$x = "0"}{$y = "1"}{math equation="((y/x).(x))[x]" x=$x y=$y}');
$this->assertEquals($expected, $this->smarty->fetch($tpl));
}
public function testBracketsIllegal()
{
$this->expectException(PHPUnit\Framework\Error\Warning::class);
$expected = "I";
$tpl = $this->smarty->createTemplate('eval:{$x = "0"}{$y = "1"}{math equation="((y/x).(x))[x]" x=$x y=$y}');
$this->assertEquals($expected, $this->smarty->fetch($tpl));
}
public function testRand()
{
$tpl = $this->smarty->createTemplate('eval:{$x = "0"}{math equation="x * rand()" x=$x}');
// this assertion may seem silly, but it serves to prove that using rand() without a parameter
// will not trigger a security error (see https://github.com/smarty-php/smarty/issues/794)
$this->assertEquals("0", $this->smarty->fetch($tpl));
}
public function testRand()
{
$tpl = $this->smarty->createTemplate('eval:{$x = "0"}{math equation="x * rand()" x=$x}');
// this assertion may seem silly, but it serves to prove that using rand() without a parameter
// will not trigger a security error (see https://github.com/smarty-php/smarty/issues/794)
$this->assertEquals("0", $this->smarty->fetch($tpl));
}
}

1
tests/UnitTests/TemplateSource/_Issues/327/ModifierIssue327Test.php
View File

@ -18,6 +18,7 @@ class ModifierIssue327Test extends PHPUnit_Smarty
public function setUp(): void
{
$this->setUpSmarty(dirname(__FILE__));
$this->smarty->registerPlugin('modifier', 'substr', 'substr');
}
public function testInit()