smarty-php/smarty
1
0
Fork 0
mirror of https://github.com/smarty-php/smarty.git synced 2025-08-05 10:54:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

- move $smarty->enableSecurity() into Smarty_Security class

Browse Source
This commit is contained in:
Uwe Tews
2015-06-28 01:38:52 +02:00
parent 15d8e545cd
commit 5377fd5926
3 changed files with 69 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
change_log.txt
View File

@@ -1,4 +1,7 @@
 ===== 3.1.28-dev===== (xx.xx.2015)  ===== 3.1.28-dev===== (xx.xx.2015)
28.06.2015
- move $smarty->enableSecurity() into Smarty_Security class
27.06.2015 27.06.2015
- bugfix resolve naming conflict between custom Smarty delimiter '<%' and PHP ASP tags https://github.com/smarty-php/smarty/issues/64 - bugfix resolve naming conflict between custom Smarty delimiter '<%' and PHP ASP tags https://github.com/smarty-php/smarty/issues/64
- update $smarty->_realpath for relative path not starting with './' - update $smarty->_realpath for relative path not starting with './'

21
libs/Smarty.class.php
View File

@@ -111,7 +111,7 @@ class Smarty extends Smarty_Internal_TemplateBase
/** /**
* smarty version * smarty version
*/ */
const SMARTY_VERSION = '3.1.28-dev/11'; const SMARTY_VERSION = '3.1.28-dev/12';
/** /**
* define variable scopes * define variable scopes
@@ -913,24 +913,7 @@ class Smarty extends Smarty_Internal_TemplateBase
*/ */
public function enableSecurity($security_class = null) public function enableSecurity($security_class = null)
{ {
if ($security_class instanceof Smarty_Security) { Smarty_Security::enableSecurity($this, $security_class);
$this->security_policy = $security_class;
return $this;
} elseif (is_object($security_class)) {
throw new SmartyException("Class '" . get_class($security_class) . "' must extend Smarty_Security.");
}
if ($security_class == null) {
$security_class = $this->security_class;
}
if (!class_exists($security_class)) {
throw new SmartyException("Security class '$security_class' is not defined");
} elseif ($security_class !== 'Smarty_Security' && !is_subclass_of($security_class, 'Smarty_Security')) {
throw new SmartyException("Class '$security_class' must extend Smarty_Security.");
} else {
$this->security_policy = new $security_class($this);
}
return $this; return $this;
} }

86
libs/sysplugins/smarty_security.php
View File

@@ -34,6 +34,7 @@ class Smarty_Security
* @var integer * @var integer
*/ */
public $php_handling = Smarty::PHP_PASSTHRU; public $php_handling = Smarty::PHP_PASSTHRU;
/** /**
* This is the list of template directories that are considered secure. * This is the list of template directories that are considered secure.
* $template_dir is in this list implicitly. * $template_dir is in this list implicitly.
@@ -41,6 +42,7 @@ class Smarty_Security
* @var array * @var array
*/ */
public $secure_dir = array(); public $secure_dir = array();
/** /**
* This is an array of directories where trusted php scripts reside. * This is an array of directories where trusted php scripts reside.
* {@link $security} is disabled during their inclusion/execution. * {@link $security} is disabled during their inclusion/execution.
@@ -48,18 +50,21 @@ class Smarty_Security
* @var array * @var array
*/ */
public $trusted_dir = array(); public $trusted_dir = array();
/** /**
* List of regular expressions (PCRE) that include trusted URIs * List of regular expressions (PCRE) that include trusted URIs
* *
* @var array * @var array
*/ */
public $trusted_uri = array(); public $trusted_uri = array();
/** /**
* List of trusted constants names * List of trusted constants names
* *
* @var array * @var array
*/ */
public $trusted_constants = array(); public $trusted_constants = array();
/** /**
* This is an array of trusted static classes. * This is an array of trusted static classes.
* If empty access to all static classes is allowed. * If empty access to all static classes is allowed.
@@ -96,6 +101,7 @@ class Smarty_Security
* @var array * @var array
*/ */
public $trusted_static_properties = array(); public $trusted_static_properties = array();
/** /**
* This is an array of trusted PHP functions. * This is an array of trusted PHP functions.
* If empty all functions are allowed. * If empty all functions are allowed.
@@ -103,12 +109,8 @@ class Smarty_Security
* *
* @var array * @var array
*/ */
public $php_functions = array( public $php_functions = array('isset', 'empty', 'count', 'sizeof', 'in_array', 'is_array', 'time',);
'isset', 'empty',
'count', 'sizeof',
'in_array', 'is_array',
'time',
);
/** /**
* This is an array of trusted PHP modifiers. * This is an array of trusted PHP modifiers.
* If empty all modifiers are allowed. * If empty all modifiers are allowed.
@@ -116,11 +118,8 @@ class Smarty_Security
* *
* @var array * @var array
*/ */
public $php_modifiers = array( public $php_modifiers = array('escape', 'count', 'nl2br',);
'escape',
'count',
'nl2br',
);
/** /**
* This is an array of allowed tags. * This is an array of allowed tags.
* If empty no restriction by allowed_tags. * If empty no restriction by allowed_tags.
@@ -128,6 +127,7 @@ class Smarty_Security
* @var array * @var array
*/ */
public $allowed_tags = array(); public $allowed_tags = array();
/** /**
* This is an array of disabled tags. * This is an array of disabled tags.
* If empty no restriction by disabled_tags. * If empty no restriction by disabled_tags.
@@ -135,6 +135,7 @@ class Smarty_Security
* @var array * @var array
*/ */
public $disabled_tags = array(); public $disabled_tags = array();
/** /**
* This is an array of allowed modifier plugins. * This is an array of allowed modifier plugins.
* If empty no restriction by allowed_modifiers. * If empty no restriction by allowed_modifiers.
@@ -142,6 +143,7 @@ class Smarty_Security
* @var array * @var array
*/ */
public $allowed_modifiers = array(); public $allowed_modifiers = array();
/** /**
* This is an array of disabled modifier plugins. * This is an array of disabled modifier plugins.
* If empty no restriction by disabled_modifiers. * If empty no restriction by disabled_modifiers.
@@ -149,12 +151,14 @@ class Smarty_Security
* @var array * @var array
*/ */
public $disabled_modifiers = array(); public $disabled_modifiers = array();
/** /**
* This is an array of disabled special $smarty variables. * This is an array of disabled special $smarty variables.
* *
* @var array * @var array
*/ */
public $disabled_special_smarty_vars = array(); public $disabled_special_smarty_vars = array();
/** /**
* This is an array of trusted streams. * This is an array of trusted streams.
* If empty all streams are allowed. * If empty all streams are allowed.
@@ -163,60 +167,70 @@ class Smarty_Security
* @var array * @var array
*/ */
public $streams = array('file'); public $streams = array('file');
/** /**
* + flag if constants can be accessed from template * + flag if constants can be accessed from template
* *
* @var boolean * @var boolean
*/ */
public $allow_constants = true; public $allow_constants = true;
/** /**
* + flag if super globals can be accessed from template * + flag if super globals can be accessed from template
* *
* @var boolean * @var boolean
*/ */
public $allow_super_globals = true; public $allow_super_globals = true;
/** /**
* max template nesting level * max template nesting level
* *
* @var int * @var int
*/ */
public $max_template_nesting = 0; public $max_template_nesting = 0;
/** /**
* current template nesting level * current template nesting level
* *
* @var int * @var int
*/ */
private $_current_template_nesting = 0; private $_current_template_nesting = 0;
/** /**
* Cache for $resource_dir lookup * Cache for $resource_dir lookup
* *
* @var array * @var array
*/ */
protected $_resource_dir = null; protected $_resource_dir = null;
/** /**
* Cache for $template_dir lookup * Cache for $template_dir lookup
* *
* @var array * @var array
*/ */
protected $_template_dir = null; protected $_template_dir = null;
/** /**
* Cache for $config_dir lookup * Cache for $config_dir lookup
* *
* @var array * @var array
*/ */
protected $_config_dir = null; protected $_config_dir = null;
/** /**
* Cache for $secure_dir lookup * Cache for $secure_dir lookup
* *
* @var array * @var array
*/ */
protected $_secure_dir = null; protected $_secure_dir = null;
/** /**
* Cache for $php_resource_dir lookup * Cache for $php_resource_dir lookup
* *
* @var array * @var array
*/ */
protected $_php_resource_dir = null; protected $_php_resource_dir = null;
/** /**
* Cache for $trusted_dir lookup * Cache for $trusted_dir lookup
* *
@@ -301,10 +315,7 @@ class Smarty_Security
// fall back // fall back
return $this->isTrustedStaticClass($class_name, $compiler); return $this->isTrustedStaticClass($class_name, $compiler);
} }
if (isset($allowed[$class_name]) if (isset($allowed[$class_name]) && (empty($allowed[$class_name]) || in_array($name, $allowed[$class_name]))) {
&& (empty($allowed[$class_name])
|| in_array($name, $allowed[$class_name]))
) {
return true; return true;
} }
} }
@@ -344,9 +355,10 @@ class Smarty_Security
public function isTrustedTag($tag_name, $compiler) public function isTrustedTag($tag_name, $compiler)
{ {
// check for internal always required tags // check for internal always required tags
if (in_array($tag_name, array('assign', 'call', 'private_filter', 'private_block_plugin', 'private_function_plugin', 'private_object_block_function', if (in_array($tag_name, array('assign', 'call', 'private_filter', 'private_block_plugin',
'private_object_function', 'private_registered_function', 'private_registered_block', 'private_special_variable', 'private_print_expression', 'private_modifier')) 'private_function_plugin', 'private_object_block_function', 'private_object_function',
) { 'private_registered_function', 'private_registered_block', 'private_special_variable',
'private_print_expression', 'private_modifier'))) {
return true; return true;
} }
// check security settings // check security settings
@@ -419,7 +431,7 @@ class Smarty_Security
/** /**
* Check if constants are enabled or trusted * Check if constants are enabled or trusted
* *
* @param string $const contant name * @param string $const constant name
* @param object $compiler compiler object * @param object $compiler compiler object
* *
* @return bool * @return bool
@@ -478,10 +490,7 @@ class Smarty_Security
$_config_dir = $this->smarty->getConfigDir(); $_config_dir = $this->smarty->getConfigDir();
// check if index is outdated // check if index is outdated
if ((!$this->_template_dir || $this->_template_dir !== $_template_dir) if ((!$this->_template_dir || $this->_template_dir !== $_template_dir) || (!$this->_config_dir || $this->_config_dir !== $_config_dir) || (!empty($this->secure_dir) && (!$this->_secure_dir || $this->_secure_dir !== $this->secure_dir))) {
|| (!$this->_config_dir || $this->_config_dir !== $_config_dir)
|| (!empty($this->secure_dir) && (!$this->_secure_dir || $this->_secure_dir !== $this->secure_dir))
) {
$this->_resource_dir = array(); $this->_resource_dir = array();
$_template = true; $_template = true;
$_config = true; $_config = true;
@@ -639,4 +648,35 @@ class Smarty_Security
$this->_current_template_nesting --; $this->_current_template_nesting --;
} }
} }
/**
* Loads security class and enables security
*
* @param \Smarty $smarty
* @param string|Smarty_Security $security_class if a string is used, it must be class-name
*
* @return \Smarty current Smarty instance for chaining
* @throws \SmartyException when an invalid class name is provided
*/
public static function enableSecurity(Smarty $smarty, $security_class)
{
if ($security_class instanceof Smarty_Security) {
$smarty->security_policy = $security_class;
return;
} elseif (is_object($security_class)) {
throw new SmartyException("Class '" . get_class($security_class) . "' must extend Smarty_Security.");
}
if ($security_class == null) {
$security_class = $smarty->security_class;
}
if (!class_exists($security_class)) {
throw new SmartyException("Security class '$security_class' is not defined");
} elseif ($security_class !== 'Smarty_Security' && !is_subclass_of($security_class, 'Smarty_Security')) {
throw new SmartyException("Class '$security_class' must extend Smarty_Security.");
} else {
$smarty->security_policy = new $security_class($smarty);
}
return;
}
} }