smarty-php/smarty
1
0
Fork 0
mirror of https://github.com/smarty-php/smarty.git synced 2025-08-05 02:44:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

- move $smarty->enableSecurity() into Smarty_Security class

Browse Source
This commit is contained in:
Uwe Tews
2015-06-28 01:38:52 +02:00
parent 15d8e545cd
commit 5377fd5926
3 changed files with 69 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
change_log.txt
View File

@@ -1,4 +1,7 @@
 ===== 3.1.28-dev===== (xx.xx.2015)
28.06.2015
- move $smarty->enableSecurity() into Smarty_Security class
27.06.2015
- bugfix resolve naming conflict between custom Smarty delimiter '<%' and PHP ASP tags https://github.com/smarty-php/smarty/issues/64
- update $smarty->_realpath for relative path not starting with './'

21
libs/Smarty.class.php
View File

@@ -111,7 +111,7 @@ class Smarty extends Smarty_Internal_TemplateBase
/**
* smarty version
*/
const SMARTY_VERSION = '3.1.28-dev/11';
const SMARTY_VERSION = '3.1.28-dev/12';
/**
* define variable scopes
@@ -913,24 +913,7 @@ class Smarty extends Smarty_Internal_TemplateBase
*/
public function enableSecurity($security_class = null)
{
if ($security_class instanceof Smarty_Security) {
$this->security_policy = $security_class;
return $this;
} elseif (is_object($security_class)) {
throw new SmartyException("Class '" . get_class($security_class) . "' must extend Smarty_Security.");
}
if ($security_class == null) {
$security_class = $this->security_class;
}
if (!class_exists($security_class)) {
throw new SmartyException("Security class '$security_class' is not defined");
} elseif ($security_class !== 'Smarty_Security' && !is_subclass_of($security_class, 'Smarty_Security')) {
throw new SmartyException("Class '$security_class' must extend Smarty_Security.");
} else {
$this->security_policy = new $security_class($this);
}
Smarty_Security::enableSecurity($this, $security_class);
return $this;
}

88
libs/sysplugins/smarty_security.php
View File

@@ -34,6 +34,7 @@ class Smarty_Security
* @var integer
*/
public $php_handling = Smarty::PHP_PASSTHRU;
/**
* This is the list of template directories that are considered secure.
* $template_dir is in this list implicitly.
@@ -41,6 +42,7 @@ class Smarty_Security
* @var array
*/
public $secure_dir = array();
/**
* This is an array of directories where trusted php scripts reside.
* {@link $security} is disabled during their inclusion/execution.
@@ -48,18 +50,21 @@ class Smarty_Security
* @var array
*/
public $trusted_dir = array();
/**
* List of regular expressions (PCRE) that include trusted URIs
*
* @var array
*/
public $trusted_uri = array();
/**
* List of trusted constants names
*
* @var array
*/
public $trusted_constants = array();
/**
* This is an array of trusted static classes.
* If empty access to all static classes is allowed.
@@ -96,6 +101,7 @@ class Smarty_Security
* @var array
*/
public $trusted_static_properties = array();
/**
* This is an array of trusted PHP functions.
* If empty all functions are allowed.
@@ -103,12 +109,8 @@ class Smarty_Security
*
* @var array
*/
public $php_functions = array(
'isset', 'empty',
'count', 'sizeof',
'in_array', 'is_array',
'time',
);
public $php_functions = array('isset', 'empty', 'count', 'sizeof', 'in_array', 'is_array', 'time',);
/**
* This is an array of trusted PHP modifiers.
* If empty all modifiers are allowed.
@@ -116,11 +118,8 @@ class Smarty_Security
*
* @var array
*/
public $php_modifiers = array(
'escape',
'count',
'nl2br',
);
public $php_modifiers = array('escape', 'count', 'nl2br',);
/**
* This is an array of allowed tags.
* If empty no restriction by allowed_tags.
@@ -128,6 +127,7 @@ class Smarty_Security
* @var array
*/
public $allowed_tags = array();
/**
* This is an array of disabled tags.
* If empty no restriction by disabled_tags.
@@ -135,6 +135,7 @@ class Smarty_Security
* @var array
*/
public $disabled_tags = array();
/**
* This is an array of allowed modifier plugins.
* If empty no restriction by allowed_modifiers.
@@ -142,6 +143,7 @@ class Smarty_Security
* @var array
*/
public $allowed_modifiers = array();
/**
* This is an array of disabled modifier plugins.
* If empty no restriction by disabled_modifiers.
@@ -149,12 +151,14 @@ class Smarty_Security
* @var array
*/
public $disabled_modifiers = array();
/**
* This is an array of disabled special $smarty variables.
*
* @var array
*/
public $disabled_special_smarty_vars = array();
/**
* This is an array of trusted streams.
* If empty all streams are allowed.
@@ -163,60 +167,70 @@ class Smarty_Security
* @var array
*/
public $streams = array('file');
/**
* + flag if constants can be accessed from template
*
* @var boolean
*/
public $allow_constants = true;
/**
* + flag if super globals can be accessed from template
*
* @var boolean
*/
public $allow_super_globals = true;
/**
* max template nesting level
*
* @var int
*/
public $max_template_nesting = 0;
/**
* current template nesting level
*
* @var int
*/
private $_current_template_nesting = 0;
/**
* Cache for $resource_dir lookup
*
* @var array
*/
protected $_resource_dir = null;
/**
* Cache for $template_dir lookup
*
* @var array
*/
protected $_template_dir = null;
/**
* Cache for $config_dir lookup
*
* @var array
*/
protected $_config_dir = null;
/**
* Cache for $secure_dir lookup
*
* @var array
*/
protected $_secure_dir = null;
/**
* Cache for $php_resource_dir lookup
*
* @var array
*/
protected $_php_resource_dir = null;
/**
* Cache for $trusted_dir lookup
*
@@ -301,10 +315,7 @@ class Smarty_Security
// fall back
return $this->isTrustedStaticClass($class_name, $compiler);
}
if (isset($allowed[$class_name])
&& (empty($allowed[$class_name])
|| in_array($name, $allowed[$class_name]))
) {
if (isset($allowed[$class_name]) && (empty($allowed[$class_name]) || in_array($name, $allowed[$class_name]))) {
return true;
}
}
@@ -344,9 +355,10 @@ class Smarty_Security
public function isTrustedTag($tag_name, $compiler)
{
// check for internal always required tags
if (in_array($tag_name, array('assign', 'call', 'private_filter', 'private_block_plugin', 'private_function_plugin', 'private_object_block_function',
'private_object_function', 'private_registered_function', 'private_registered_block', 'private_special_variable', 'private_print_expression', 'private_modifier'))
) {
if (in_array($tag_name, array('assign', 'call', 'private_filter', 'private_block_plugin',
'private_function_plugin', 'private_object_block_function', 'private_object_function',
'private_registered_function', 'private_registered_block', 'private_special_variable',
'private_print_expression', 'private_modifier'))) {
return true;
}
// check security settings
@@ -419,7 +431,7 @@ class Smarty_Security
/**
* Check if constants are enabled or trusted
*
* @param string $const contant name
* @param string $const constant name
* @param object $compiler compiler object
*
* @return bool
@@ -478,10 +490,7 @@ class Smarty_Security
$_config_dir = $this->smarty->getConfigDir();
// check if index is outdated
if ((!$this->_template_dir || $this->_template_dir !== $_template_dir)
|| (!$this->_config_dir || $this->_config_dir !== $_config_dir)
|| (!empty($this->secure_dir) && (!$this->_secure_dir || $this->_secure_dir !== $this->secure_dir))
) {
if ((!$this->_template_dir || $this->_template_dir !== $_template_dir) || (!$this->_config_dir || $this->_config_dir !== $_config_dir) || (!empty($this->secure_dir) && (!$this->_secure_dir || $this->_secure_dir !== $this->secure_dir))) {
$this->_resource_dir = array();
$_template = true;
$_config = true;
@@ -500,7 +509,7 @@ class Smarty_Security
if ($_config) {
$this->_config_dir = $_config_dir;
foreach ($_config_dir as $directory) {
$this->_resource_dir[$directory] = true;
$this->_resource_dir[$directory] = true;
}
}
@@ -639,4 +648,35 @@ class Smarty_Security
$this->_current_template_nesting --;
}
}
/**
* Loads security class and enables security
*
* @param \Smarty $smarty
* @param string|Smarty_Security $security_class if a string is used, it must be class-name
*
* @return \Smarty current Smarty instance for chaining
* @throws \SmartyException when an invalid class name is provided
*/
public static function enableSecurity(Smarty $smarty, $security_class)
{
if ($security_class instanceof Smarty_Security) {
$smarty->security_policy = $security_class;
return;
} elseif (is_object($security_class)) {
throw new SmartyException("Class '" . get_class($security_class) . "' must extend Smarty_Security.");
}
if ($security_class == null) {
$security_class = $smarty->security_class;
}
if (!class_exists($security_class)) {
throw new SmartyException("Security class '$security_class' is not defined");
} elseif ($security_class !== 'Smarty_Security' && !is_subclass_of($security_class, 'Smarty_Security')) {
throw new SmartyException("Class '$security_class' must extend Smarty_Security.");
} else {
$smarty->security_policy = new $security_class($smarty);
}
return;
}
}