From 7014505d59f023493951a605181b2e42263a08f9 Mon Sep 17 00:00:00 2001 From: mohrt Date: Tue, 4 Dec 2001 22:31:47 +0000 Subject: [PATCH] update ChangeLog --- NEWS | 1 + Smarty.class.php | 26 +++++++++++---------- Smarty_Compiler.class.php | 42 ++++++++++++++++++++++++++++++++++ libs/Smarty.class.php | 26 +++++++++++---------- libs/Smarty_Compiler.class.php | 42 ++++++++++++++++++++++++++++++++++ 5 files changed, 113 insertions(+), 24 deletions(-) diff --git a/NEWS b/NEWS index f68893cb..ea824690 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,4 @@ + - add include_php built-in function (Monte) - added trusted_dir functionality, documented. (Monte) - consolidated secure_dir tests to one function. (Monte) - prepended _smarty_ to variable names in fetch() class function to avoid diff --git a/Smarty.class.php b/Smarty.class.php index a6339dfb..cc3b139e 100644 --- a/Smarty.class.php +++ b/Smarty.class.php @@ -589,7 +589,7 @@ class Smarty $_smarty_trusted = false; if ($this->security) { - $this->_parse_tpl_path($_smarty_tpl_file, $resource_type, $resource_name); + $this->_parse_file_path($this->template_dir, $_smarty_tpl_file, $resource_type, $resource_name); if ($this->_is_trusted($resource_type, $resource_name)) { $_smarty_trusted = true; $this->security = false; @@ -851,26 +851,27 @@ function _is_trusted($resource_type, $resource_name) } /*======================================================================*\ - Function: _parse_tpl_path + Function: _parse_file_path Purpose: parse out the type and name from the template resource \*======================================================================*/ -function _parse_tpl_path($tpl_path, &$resource_type, &$resource_name) { +function _parse_file_path($file_base_path, $file_path, &$resource_type, &$resource_name) { + // split tpl_path by the first colon - $tpl_path_parts = explode(':', $tpl_path, 2); + $file_path_parts = explode(':', $file_path, 2); - if (count($tpl_path_parts) == 1) { + if (count($file_path_parts) == 1) { // no resource type, treat as type "file" $resource_type = 'file'; - $resource_name = $tpl_path_parts[0]; + $resource_name = $file_path_parts[0]; } else { - $resource_type = $tpl_path_parts[0]; - $resource_name = $tpl_path_parts[1]; + $resource_type = $file_path_parts[0]; + $resource_name = $file_path_parts[1]; } if ($resource_type == 'file') { if (!preg_match("/^([\/\\\\]|[a-zA-Z]:[\/\\\\])/", $resource_name)) { - // relative pathname to $template_dir - $resource_name = $this->template_dir.'/'.$resource_name; + // relative pathname to $file_base_path + $resource_name = $file_base_path.'/'.$resource_name; } } } @@ -884,7 +885,7 @@ function _parse_tpl_path($tpl_path, &$resource_type, &$resource_name) { function _fetch_template_info($tpl_path, &$template_source, &$template_timestamp, $get_source=true) { - $this->_parse_tpl_path($tpl_path, $resource_type, $resource_name); + $this->_parse_file_path($this->template_dir, $tpl_path, $resource_type, $resource_name); switch ($resource_type) { case 'file': @@ -954,6 +955,7 @@ function _parse_tpl_path($tpl_path, &$resource_type, &$resource_name) { $smarty_compiler->security = $this->security; $smarty_compiler->secure_dir = $this->secure_dir; $smarty_compiler->security_settings = $this->security_settings; + $smarty_compiler->trusted_dir = $this->trusted_dir; if ($smarty_compiler->_compile_file($tpl_file, $template_source, $template_compiled)) return true; @@ -983,7 +985,7 @@ function _parse_tpl_path($tpl_path, &$resource_type, &$resource_name) { array_unshift($this->_config, $this->_config[0]); $compile_path = $this->_get_compile_path($_smarty_include_tpl_file); - $this->_parse_tpl_path($_smarty_include_tpl_file, $resource_type, $resource_name); + $this->_parse_file_path($this->template_dir, $_smarty_include_tpl_file, $resource_type, $resource_name); if ($this->security && $this->_is_trusted($resource_type, $resource_name)) { $_smarty_trusted = true; $this->security = false; diff --git a/Smarty_Compiler.class.php b/Smarty_Compiler.class.php index 8299f122..bf0eee73 100644 --- a/Smarty_Compiler.class.php +++ b/Smarty_Compiler.class.php @@ -219,6 +219,9 @@ class Smarty_Compiler extends Smarty { case 'include': return $this->_compile_include_tag($tag_args); + case 'include_php': + return $this->_compile_include_php_tag($tag_args); + case 'if': return $this->_compile_if_tag($tag_args); @@ -440,6 +443,45 @@ class Smarty_Compiler extends Smarty { "unset(\$_smarty_tpl_vars); ?>"; } +/*======================================================================*\ + Function: _compile_include_php_tag + Purpose: Compile {include ...} tag +\*======================================================================*/ + function _compile_include_php_tag($tag_args) + { + $attrs = $this->_parse_attrs($tag_args); + $arg_list = array(); + + if (empty($attrs['file'])) { + $this->_syntax_error("missing 'file' attribute in include_php tag"); + return false; + } + + if($this->security) { + $this->_parse_file_path($this->trusted_dir, $this->_dequote($attrs['file']), $resource_type, $resource_name); + if( $resource_type != 'file' || !is_file( $resource_name )) { + $this->_syntax_error("include_php: $resource_type: $resource_name is not readable"); + return false; + } + if(!$this->_is_trusted($resource_type, $resource_name)) { + $this->_syntax_error("include_php: $resource_type: $resource_name is not trusted"); + return false; + } + } + + foreach ($attrs as $arg_name => $arg_value) { + if ($arg_name == 'file') { + $include_file = $arg_value; + continue; + } + if (is_bool($arg_value)) + $arg_value = $arg_value ? 'true' : 'false'; + $arg_list[] = "'$arg_name' => $arg_value"; + } + + return ""; + } + /*======================================================================*\ Function: _compile_section_start diff --git a/libs/Smarty.class.php b/libs/Smarty.class.php index a6339dfb..cc3b139e 100644 --- a/libs/Smarty.class.php +++ b/libs/Smarty.class.php @@ -589,7 +589,7 @@ class Smarty $_smarty_trusted = false; if ($this->security) { - $this->_parse_tpl_path($_smarty_tpl_file, $resource_type, $resource_name); + $this->_parse_file_path($this->template_dir, $_smarty_tpl_file, $resource_type, $resource_name); if ($this->_is_trusted($resource_type, $resource_name)) { $_smarty_trusted = true; $this->security = false; @@ -851,26 +851,27 @@ function _is_trusted($resource_type, $resource_name) } /*======================================================================*\ - Function: _parse_tpl_path + Function: _parse_file_path Purpose: parse out the type and name from the template resource \*======================================================================*/ -function _parse_tpl_path($tpl_path, &$resource_type, &$resource_name) { +function _parse_file_path($file_base_path, $file_path, &$resource_type, &$resource_name) { + // split tpl_path by the first colon - $tpl_path_parts = explode(':', $tpl_path, 2); + $file_path_parts = explode(':', $file_path, 2); - if (count($tpl_path_parts) == 1) { + if (count($file_path_parts) == 1) { // no resource type, treat as type "file" $resource_type = 'file'; - $resource_name = $tpl_path_parts[0]; + $resource_name = $file_path_parts[0]; } else { - $resource_type = $tpl_path_parts[0]; - $resource_name = $tpl_path_parts[1]; + $resource_type = $file_path_parts[0]; + $resource_name = $file_path_parts[1]; } if ($resource_type == 'file') { if (!preg_match("/^([\/\\\\]|[a-zA-Z]:[\/\\\\])/", $resource_name)) { - // relative pathname to $template_dir - $resource_name = $this->template_dir.'/'.$resource_name; + // relative pathname to $file_base_path + $resource_name = $file_base_path.'/'.$resource_name; } } } @@ -884,7 +885,7 @@ function _parse_tpl_path($tpl_path, &$resource_type, &$resource_name) { function _fetch_template_info($tpl_path, &$template_source, &$template_timestamp, $get_source=true) { - $this->_parse_tpl_path($tpl_path, $resource_type, $resource_name); + $this->_parse_file_path($this->template_dir, $tpl_path, $resource_type, $resource_name); switch ($resource_type) { case 'file': @@ -954,6 +955,7 @@ function _parse_tpl_path($tpl_path, &$resource_type, &$resource_name) { $smarty_compiler->security = $this->security; $smarty_compiler->secure_dir = $this->secure_dir; $smarty_compiler->security_settings = $this->security_settings; + $smarty_compiler->trusted_dir = $this->trusted_dir; if ($smarty_compiler->_compile_file($tpl_file, $template_source, $template_compiled)) return true; @@ -983,7 +985,7 @@ function _parse_tpl_path($tpl_path, &$resource_type, &$resource_name) { array_unshift($this->_config, $this->_config[0]); $compile_path = $this->_get_compile_path($_smarty_include_tpl_file); - $this->_parse_tpl_path($_smarty_include_tpl_file, $resource_type, $resource_name); + $this->_parse_file_path($this->template_dir, $_smarty_include_tpl_file, $resource_type, $resource_name); if ($this->security && $this->_is_trusted($resource_type, $resource_name)) { $_smarty_trusted = true; $this->security = false; diff --git a/libs/Smarty_Compiler.class.php b/libs/Smarty_Compiler.class.php index 8299f122..bf0eee73 100644 --- a/libs/Smarty_Compiler.class.php +++ b/libs/Smarty_Compiler.class.php @@ -219,6 +219,9 @@ class Smarty_Compiler extends Smarty { case 'include': return $this->_compile_include_tag($tag_args); + case 'include_php': + return $this->_compile_include_php_tag($tag_args); + case 'if': return $this->_compile_if_tag($tag_args); @@ -440,6 +443,45 @@ class Smarty_Compiler extends Smarty { "unset(\$_smarty_tpl_vars); ?>"; } +/*======================================================================*\ + Function: _compile_include_php_tag + Purpose: Compile {include ...} tag +\*======================================================================*/ + function _compile_include_php_tag($tag_args) + { + $attrs = $this->_parse_attrs($tag_args); + $arg_list = array(); + + if (empty($attrs['file'])) { + $this->_syntax_error("missing 'file' attribute in include_php tag"); + return false; + } + + if($this->security) { + $this->_parse_file_path($this->trusted_dir, $this->_dequote($attrs['file']), $resource_type, $resource_name); + if( $resource_type != 'file' || !is_file( $resource_name )) { + $this->_syntax_error("include_php: $resource_type: $resource_name is not readable"); + return false; + } + if(!$this->_is_trusted($resource_type, $resource_name)) { + $this->_syntax_error("include_php: $resource_type: $resource_name is not trusted"); + return false; + } + } + + foreach ($attrs as $arg_name => $arg_value) { + if ($arg_name == 'file') { + $include_file = $arg_value; + continue; + } + if (is_bool($arg_value)) + $arg_value = $arg_value ? 'true' : 'false'; + $arg_list[] = "'$arg_name' => $arg_value"; + } + + return ""; + } + /*======================================================================*\ Function: _compile_section_start