smarty-php/smarty
1
0
Fork 0
mirror of https://github.com/smarty-php/smarty.git synced 2026-05-03 19:30:49 +02:00
Code Issues Packages Projects Releases Wiki Activity

limit the template nesting level by security

Browse Source
This commit is contained in:
Uwe Tews
2014-12-30 12:57:43 +01:00
parent 1da50aa61d
commit 6be6bf7b70
5 changed files with 63 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
libs/sysplugins/smarty_internal_template.php
+6
View File
@@ -353,6 +353,9 @@ class Smarty_Internal_Template extends Smarty_Internal_TemplateBase
public function getInlineSubTemplate($template, $cache_id, $compile_id, $caching, $cache_lifetime, $data, $parent_scope, $hash, $content_func)
{
$tpl = $this->setupInlineSubTemplate($template, $cache_id, $compile_id, $caching, $cache_lifetime, $data, $parent_scope, $hash);
if (isset($this->smarty->security_policy)) {
$this->smarty->security_policy->startTemplate($tpl);
}
if ($this->smarty->debugging) {
Smarty_Internal_Debug::start_template($tpl);
@@ -367,6 +370,9 @@ class Smarty_Internal_Template extends Smarty_Internal_TemplateBase
if (!empty($tpl->properties['file_dependency'])) {
$this->properties['file_dependency'] = array_merge($this->properties['file_dependency'], $tpl->properties['file_dependency']);
}
if (isset($this->smarty->security_policy)) {
$this->smarty->security_policy->exitTemplate($tpl);
}
return str_replace($tpl->properties['nocache_hash'], $this->properties['nocache_hash'], ob_get_clean());
}
libs/sysplugins/smarty_internal_templatebase.php
+6
View File
@@ -50,6 +50,9 @@ abstract class Smarty_Internal_TemplateBase extends Smarty_Internal_Data
if ($this->smarty->debugging) {
Smarty_Internal_Debug::start_template($_template);
}
if (isset($_template->smarty->security_policy)) {
$_template->smarty->security_policy->startTemplate($_template);
}
// if called by Smarty object make sure we use current caching status
if ($this instanceof Smarty) {
$_template->caching = $this->caching;
@@ -323,6 +326,9 @@ abstract class Smarty_Internal_TemplateBase extends Smarty_Internal_Data
if (isset($this->error_reporting)) {
error_reporting($_smarty_old_error_level);
}
if (isset($_template->smarty->security_policy)) {
$_template->smarty->security_policy->exitTemplate($_template);
}
// display or fetch
if ($display) {
if ($this->caching && $this->cache_modified_check) {
libs/sysplugins/smarty_security.php
+36 -1
View File
@@ -141,7 +141,18 @@ class Smarty_Security
* @var boolean
*/
public $allow_super_globals = true;
/**
* max template nesting level
*
* @var int
*/
public $max_template_nesting = 0;
/**
* current template nesting level
*
* @var int
*/
private $_current_template_nesting = 0;
/**
* Cache for $resource_dir lookup
*
@@ -502,4 +513,28 @@ class Smarty_Security
throw new SmartyException("directory '{$_filepath}' not allowed by security setting");
}
/**
* Start template processing
*
* @param $template
*
* @throws SmartyException
*/
public function startTemplate($template) {
if ($this->max_template_nesting > 0 && $this->_current_template_nesting++ >= $this->max_template_nesting) {
throw new SmartyException("maximum template nesting level of '{$this->max_template_nesting}' exceeded when calling '{$template->template_resource}'");
}
}
/**
* Exit template processing
*
* @param $template
*/
public function exitTemplate($template) {
if ($this->max_template_nesting > 0) {
$this->_current_template_nesting --;
}
}
}