smarty-php/smarty
1
0
Fork 0
mirror of https://github.com/smarty-php/smarty.git synced 2025-08-05 02:44:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

update include_path handling

Browse Source
This commit is contained in:
Uwe Tews
2015-07-07 17:55:45 +02:00
parent 733755f94a
commit 7fa6c4fd47
2 changed files with 59 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
libs/sysplugins/smarty_internal_get_include_path.php
View File

@@ -27,29 +27,36 @@ class Smarty_Internal_Get_Include_Path
*/ */
public static function getIncludePath($dirs, $file, Smarty $smarty) public static function getIncludePath($dirs, $file, Smarty $smarty)
{ {
static $_include_path = null; static $_include_path = '';
static $_include_dirs = array();
static $_has_stream_include = null; static $_has_stream_include = null;
if ($_include_path === null) { $_i_path = get_include_path();
$_include_path = (array) explode(PATH_SEPARATOR, get_include_path()); if ($_include_path != $_i_path) {
foreach ($_include_path as $key => $_path) { $_include_path = $_i_path;
$_include_path[$key] = rtrim($_path, '/\\'); $_dirs = (array) explode(PATH_SEPARATOR, $_i_path);
$_include_dirs = array();
foreach ($_dirs as $_path) {
$_include_dirs[] = rtrim($_path, '/\\');
} }
$_has_stream_include = function_exists('stream_resolve_include_path'); $_has_stream_include = function_exists('stream_resolve_include_path');
} }
// try PHP include_path // try PHP include_path
foreach ($dirs as $dir) { foreach ($dirs as $dir) {
if ($dir[0] == '/' || $dir[1] == ':') {
$dir = $smarty->_realpath($dir, false);
}
if ($dir[0] != '/' && $dir[1] != ':') { if ($dir[0] != '/' && $dir[1] != ':') {
$_d_path = $dir . isset($file) ? $file : ''; $_d_path = $dir . (isset($file) ? $file : '');
if ($_has_stream_include) { if ($_has_stream_include) {
// available since PHP 5.3.2 // available since PHP 5.3.2
$path = stream_resolve_include_path($_d_path); $path = stream_resolve_include_path($_d_path);
if ($path !== false && is_file($path)) { if ($path !== false && is_file($path)) {
return $smarty->_realpath($path); return $smarty->_realpath($path, true);
} }
} }
foreach ($_include_path as $_i_path) { foreach ($_include_dirs as $_i_path) {
if (is_file($_i_path . DS . $_d_path)) { if (is_file($_i_path . DS . $_d_path)) {
return $smarty->_realpath($_i_path . DS . $_d_path); return $smarty->_realpath($_i_path . DS . $_d_path, true);
} }
} }
} }

55
libs/sysplugins/smarty_security.php
View File

@@ -238,6 +238,20 @@ class Smarty_Security
*/ */
protected $_trusted_dir = null; protected $_trusted_dir = null;
/**
* Cache for $_include_path lookup
*
* @var string
*/
protected $_include_path = '';
/**
* Cache for $_include_array lookup
*
* @var array
*/
protected $_include_dir = array();
/** /**
* @param Smarty $smarty * @param Smarty $smarty
*/ */
@@ -356,8 +370,9 @@ class Smarty_Security
{ {
// check for internal always required tags // check for internal always required tags
if (in_array($tag_name, array('assign', 'call', 'private_filter', 'private_block_plugin', if (in_array($tag_name, array('assign', 'call', 'private_filter', 'private_block_plugin',
'private_function_plugin', 'private_object_block_function', 'private_object_function', 'private_function_plugin', 'private_object_block_function',
'private_registered_function', 'private_registered_block', 'private_special_variable', 'private_object_function', 'private_registered_function',
'private_registered_block', 'private_special_variable',
'private_print_expression', 'private_modifier'))) { 'private_print_expression', 'private_modifier'))) {
return true; return true;
} }
@@ -483,6 +498,26 @@ class Smarty_Security
*/ */
public function isTrustedResourceDir($filepath, $isConfig = null) public function isTrustedResourceDir($filepath, $isConfig = null)
{ {
if ($this->smarty->use_include_path) {
$_include_path = get_include_path();
} else {
$_include_path = '';
}
if ($this->_include_path != $_include_path) {
foreach ($this->_include_dir as $directory) {
unset($this->_resource_dir[$directory]);
}
if ($this->smarty->use_include_path) {
$this->_include_dir = array();
$_dirs = (array) explode(PATH_SEPARATOR, get_include_path());
foreach ($_dirs as $_dir) {
$directory = $this->smarty->_realpath($_dir . DS, true);
$this->_include_dir[] = $directory;
$this->_resource_dir[$directory] = true;
}
}
$this->_include_path = $_include_path;
}
if ($isConfig !== true) { if ($isConfig !== true) {
$_dir = $this->smarty->getTemplateDir(); $_dir = $this->smarty->getTemplateDir();
if ($this->_template_dir !== $_dir) { if ($this->_template_dir !== $_dir) {
@@ -490,9 +525,6 @@ class Smarty_Security
unset($this->_resource_dir[$directory]); unset($this->_resource_dir[$directory]);
} }
foreach ($_dir as $directory) { foreach ($_dir as $directory) {
if ($this->smarty->use_include_path) {
$directory = $this->smarty->_realpath($directory);
}
$this->_resource_dir[$directory] = true; $this->_resource_dir[$directory] = true;
} }
$this->_template_dir = $_dir; $this->_template_dir = $_dir;
@@ -505,9 +537,6 @@ class Smarty_Security
unset($this->_resource_dir[$directory]); unset($this->_resource_dir[$directory]);
} }
foreach ($_dir as $directory) { foreach ($_dir as $directory) {
if ($this->smarty->use_include_path) {
$directory = $this->smarty->_realpath($directory);
}
$this->_resource_dir[$directory] = true; $this->_resource_dir[$directory] = true;
} }
$this->_config_dir = $_dir; $this->_config_dir = $_dir;
@@ -518,7 +547,7 @@ class Smarty_Security
unset($this->_resource_dir[$directory]); unset($this->_resource_dir[$directory]);
} }
foreach ((array) $this->secure_dir as $directory) { foreach ((array) $this->secure_dir as $directory) {
$directory = $this->smarty->_realpath($directory . DS); $directory = $this->smarty->_realpath($directory . DS, true);
$this->_resource_dir[$directory] = true; $this->_resource_dir[$directory] = true;
} }
$this->_secure_dir = (array) $this->secure_dir; $this->_secure_dir = (array) $this->secure_dir;
@@ -538,11 +567,11 @@ class Smarty_Security
return true; return true;
} }
// abort if we've reached root // abort if we've reached root
if (($pos = strrpos($directory, DS)) === false || !isset($directory[1])) { if (!preg_match('#[\\\/][^\\\/]+[\\\/]$#', $directory)) {
break; break;
} }
// bubble up one level // bubble up one level
$directory = substr($directory, 0, $pos); $directory = preg_replace('#[\\\/][^\\\/]+[\\\/]$#', DS, $directory);
} }
// give up // give up
@@ -596,12 +625,12 @@ class Smarty_Security
$this->_trusted_dir = $this->trusted_dir; $this->_trusted_dir = $this->trusted_dir;
foreach ((array) $this->trusted_dir as $directory) { foreach ((array) $this->trusted_dir as $directory) {
$directory = $this->smarty->_realpath($directory . DS); $directory = $this->smarty->_realpath($directory . DS, true);
$this->_php_resource_dir[$directory] = true; $this->_php_resource_dir[$directory] = true;
} }
} }
$_filepath = $this->smarty->_realpath($filepath); $_filepath = $this->smarty->_realpath($filepath, true);
$directory = dirname($_filepath) . DS; $directory = dirname($_filepath) . DS;
$_directory = array(); $_directory = array();
while (true) { while (true) {