mirror of
https://github.com/smarty-php/smarty.git
synced 2025-08-04 10:24:26 +02:00
update file fetching logic
This commit is contained in:
mohrt
131
Smarty.class.php
131
Smarty.class.php
@@ -100,7 +100,7 @@ class Smarty
|
|||||||
// this will tell Smarty not to look for
|
// this will tell Smarty not to look for
|
||||||
// insert tags, thus speeding up cached page
|
// insert tags, thus speeding up cached page
|
||||||
// fetches. true/false default true.
|
// fetches. true/false default true.
|
||||||
var $cache_handler_func = null; // function used for cached content. this is
|
var $cache_handler_func = null; // function used for cached content. this is
|
||||||
// an alternative to using the built-in file
|
// an alternative to using the built-in file
|
||||||
// based caching.
|
// based caching.
|
||||||
|
|
||||||
@@ -131,7 +131,7 @@ class Smarty
|
|||||||
'PHP_TAGS' => false,
|
'PHP_TAGS' => false,
|
||||||
'MODIFIER_FUNCS' => array('count')
|
'MODIFIER_FUNCS' => array('count')
|
||||||
);
|
);
|
||||||
var $trusted_dir = ''; // directory where trusted templates
|
var $trusted_dir = array(); // directories where trusted templates
|
||||||
// reside ($security is disabled during their
|
// reside ($security is disabled during their
|
||||||
// execution).
|
// execution).
|
||||||
|
|
||||||
@@ -729,11 +729,16 @@ function _is_trusted($resource_type, $resource_name)
|
|||||||
// disable security during the execution of the template.
|
// disable security during the execution of the template.
|
||||||
|
|
||||||
if ($resource_type == 'file') {
|
if ($resource_type == 'file') {
|
||||||
if (is_readable ($this->trusted_dir)) {
|
if (!empty($this->trusted_dir)) {
|
||||||
if (substr(realpath($resource_name), 0, strlen(realpath($this->trusted_dir))) == realpath($this->trusted_dir)) {
|
foreach ((array)$this->trusted_dir as $curr_dir) {
|
||||||
$_smarty_trusted = true;
|
if ( !empty($curr_dir) && is_readable ($curr_dir)) {
|
||||||
|
if (substr(realpath($resource_name),0, strlen(realpath($curr_dir))) == realpath($curr_dir)) {
|
||||||
|
$_smarty_trusted = true;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
// resource is not on local file system
|
// resource is not on local file system
|
||||||
$_smarty_trusted = false;
|
$_smarty_trusted = false;
|
||||||
@@ -858,7 +863,7 @@ function _is_trusted($resource_type, $resource_name)
|
|||||||
Function: _parse_file_path
|
Function: _parse_file_path
|
||||||
Purpose: parse out the type and name from the template resource
|
Purpose: parse out the type and name from the template resource
|
||||||
\*======================================================================*/
|
\*======================================================================*/
|
||||||
function _parse_file_path($file_base_path, $file_path, &$resource_type, &$resource_name) {
|
function _parse_file_path($file_base_path, $file_path, &$resource_type, &$resource_name) {
|
||||||
|
|
||||||
// split tpl_path by the first colon
|
// split tpl_path by the first colon
|
||||||
$file_path_parts = explode(':', $file_path, 2);
|
$file_path_parts = explode(':', $file_path, 2);
|
||||||
@@ -875,10 +880,21 @@ function _parse_file_path($file_base_path, $file_path, &$resource_type, &$resour
|
|||||||
if ($resource_type == 'file') {
|
if ($resource_type == 'file') {
|
||||||
if (!preg_match("/^([\/\\\\]|[a-zA-Z]:[\/\\\\])/", $resource_name)) {
|
if (!preg_match("/^([\/\\\\]|[a-zA-Z]:[\/\\\\])/", $resource_name)) {
|
||||||
// relative pathname to $file_base_path
|
// relative pathname to $file_base_path
|
||||||
$resource_name = $file_base_path.'/'.$resource_name;
|
// use the first directory where the file is found
|
||||||
|
foreach((array)$file_base_path as $curr_path) {
|
||||||
|
if(@is_file($curr_path.'/'.$resource_name)) {
|
||||||
|
$resource_name = $curr_path.'/'.$resource_name;
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// didn't find the file
|
||||||
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
// resource type != file
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/*======================================================================*\
|
/*======================================================================*\
|
||||||
@@ -889,64 +905,50 @@ function _parse_file_path($file_base_path, $file_path, &$resource_type, &$resour
|
|||||||
function _fetch_template_info($tpl_path, &$template_source, &$template_timestamp, $get_source=true)
|
function _fetch_template_info($tpl_path, &$template_source, &$template_timestamp, $get_source=true)
|
||||||
{
|
{
|
||||||
|
|
||||||
$this->_parse_file_path($this->template_dir, $tpl_path, $resource_type, $resource_name);
|
$_return = false;
|
||||||
|
if($this->_parse_file_path($this->template_dir, $tpl_path, $resource_type, $resource_name)) {
|
||||||
if ($this->security && !$this->_is_secure($resource_type, $resource_name) && !$this->_is_trusted($resource_type, $resource_name)) {
|
switch ($resource_type) {
|
||||||
$this->_trigger_error_msg("(secure mode) accessing \"$tpl_path\" is not allowed");
|
case 'file':
|
||||||
return false;
|
if (@is_file($resource_name)) {
|
||||||
}
|
if ($get_source) {
|
||||||
switch ($resource_type) {
|
$template_source = $this->_read_file($resource_name);
|
||||||
case 'file':
|
}
|
||||||
|
$template_timestamp = filemtime($resource_name);
|
||||||
$_is_file = false;
|
$_return = true;
|
||||||
|
}
|
||||||
if (!@is_file($resource_name)) {
|
break;
|
||||||
if(!empty($this->default_template_handler_func)) {
|
default:
|
||||||
if(!function_exists($this->default_template_handler_func)) {
|
if (isset($this->resource_funcs[$resource_type])) {
|
||||||
$this->_trigger_error_msg("default template handler function \"$this->default_template_handler_func\" doesn't exist.");
|
$funcname = $this->resource_funcs[$resource_type];
|
||||||
return false;
|
if (function_exists($funcname)) {
|
||||||
}
|
// call the function to fetch the template
|
||||||
// call default template handler function
|
$_return = $funcname($resource_name, $template_source, $template_timestamp, $get_source, $this);
|
||||||
$funcname = $this->default_template_handler_func;
|
}
|
||||||
if($funcname($resource_type, $resource_name)) {
|
}
|
||||||
// test for file once more
|
break;
|
||||||
if(@is_file($resource_name)) {
|
}
|
||||||
$_is_file = true;
|
}
|
||||||
}
|
if(!$_return) {
|
||||||
}
|
// see if we can get a template with the default template handler
|
||||||
}
|
if(!empty($this->default_template_handler_func)) {
|
||||||
} else {
|
if(!function_exists($this->default_template_handler_func)) {
|
||||||
$_is_file = true;
|
$this->_trigger_error_msg("default template handler function \"$this->default_template_handler_func\" doesn't exist.");
|
||||||
|
$_return = false;
|
||||||
}
|
}
|
||||||
|
$funcname = $this->default_template_handler_func;
|
||||||
|
$_return = $funcname($resource_type, $resource_name, $template_source, $template_timestamp, $this);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if ($_is_file) {
|
if(!$_return) {
|
||||||
if ($get_source) {
|
$this->_trigger_error_msg("unable to read template resource: \"$tpl_path\"");
|
||||||
$template_source = $this->_read_file($resource_name);
|
} elseif ($_return && $this->security && !$this->_is_secure($resource_type, $resource_name) && !$this->_is_trusted($resource_type, $resource_name)) {
|
||||||
}
|
$this->_trigger_error_msg("(secure mode) accessing \"$tpl_path\" is not allowed");
|
||||||
$template_timestamp = filemtime($resource_name);
|
$template_source = null;
|
||||||
} else {
|
$template_timestamp = null;
|
||||||
$this->_trigger_error_msg("unable to read template resource: \"$tpl_path\"");
|
return false;
|
||||||
return false;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
if (isset($this->resource_funcs[$resource_type])) {
|
|
||||||
$funcname = $this->resource_funcs[$resource_type];
|
|
||||||
if (function_exists($funcname)) {
|
|
||||||
// call the function to fetch the template
|
|
||||||
$funcname($resource_name, $template_source, $template_timestamp, $get_source);
|
|
||||||
return true;
|
|
||||||
} else {
|
|
||||||
$this->_trigger_error_msg("resource function: \"$funcname\" does not exist for resource type: \"$resource_type\".");
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
$this->_trigger_error_msg("unknown resource type: \"$resource_type\". Register this resource first.");
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
}
|
}
|
||||||
return true;
|
return $_return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -1042,7 +1044,6 @@ function _parse_file_path($file_base_path, $file_path, &$resource_type, &$resour
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/*======================================================================*\
|
/*======================================================================*\
|
||||||
Function: _config_load
|
Function: _config_load
|
||||||
Purpose: load configuration values
|
Purpose: load configuration values
|
||||||
|
|||||||
@@ -475,6 +475,7 @@ class Smarty_Compiler extends Smarty {
|
|||||||
}
|
}
|
||||||
|
|
||||||
$this->_parse_file_path($this->trusted_dir, $this->_dequote($attrs['file']), $resource_type, $resource_name);
|
$this->_parse_file_path($this->trusted_dir, $this->_dequote($attrs['file']), $resource_type, $resource_name);
|
||||||
|
|
||||||
if ($this->security) {
|
if ($this->security) {
|
||||||
if( $resource_type != 'file' || !@is_file($resource_name)) {
|
if( $resource_type != 'file' || !@is_file($resource_name)) {
|
||||||
$this->_syntax_error("include_php: $resource_type: $resource_name is not readable");
|
$this->_syntax_error("include_php: $resource_type: $resource_name is not readable");
|
||||||
|
|||||||
@@ -100,7 +100,7 @@ class Smarty
|
|||||||
// this will tell Smarty not to look for
|
// this will tell Smarty not to look for
|
||||||
// insert tags, thus speeding up cached page
|
// insert tags, thus speeding up cached page
|
||||||
// fetches. true/false default true.
|
// fetches. true/false default true.
|
||||||
var $cache_handler_func = null; // function used for cached content. this is
|
var $cache_handler_func = null; // function used for cached content. this is
|
||||||
// an alternative to using the built-in file
|
// an alternative to using the built-in file
|
||||||
// based caching.
|
// based caching.
|
||||||
|
|
||||||
@@ -131,7 +131,7 @@ class Smarty
|
|||||||
'PHP_TAGS' => false,
|
'PHP_TAGS' => false,
|
||||||
'MODIFIER_FUNCS' => array('count')
|
'MODIFIER_FUNCS' => array('count')
|
||||||
);
|
);
|
||||||
var $trusted_dir = ''; // directory where trusted templates
|
var $trusted_dir = array(); // directories where trusted templates
|
||||||
// reside ($security is disabled during their
|
// reside ($security is disabled during their
|
||||||
// execution).
|
// execution).
|
||||||
|
|
||||||
@@ -729,11 +729,16 @@ function _is_trusted($resource_type, $resource_name)
|
|||||||
// disable security during the execution of the template.
|
// disable security during the execution of the template.
|
||||||
|
|
||||||
if ($resource_type == 'file') {
|
if ($resource_type == 'file') {
|
||||||
if (is_readable ($this->trusted_dir)) {
|
if (!empty($this->trusted_dir)) {
|
||||||
if (substr(realpath($resource_name), 0, strlen(realpath($this->trusted_dir))) == realpath($this->trusted_dir)) {
|
foreach ((array)$this->trusted_dir as $curr_dir) {
|
||||||
$_smarty_trusted = true;
|
if ( !empty($curr_dir) && is_readable ($curr_dir)) {
|
||||||
|
if (substr(realpath($resource_name),0, strlen(realpath($curr_dir))) == realpath($curr_dir)) {
|
||||||
|
$_smarty_trusted = true;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
// resource is not on local file system
|
// resource is not on local file system
|
||||||
$_smarty_trusted = false;
|
$_smarty_trusted = false;
|
||||||
@@ -858,7 +863,7 @@ function _is_trusted($resource_type, $resource_name)
|
|||||||
Function: _parse_file_path
|
Function: _parse_file_path
|
||||||
Purpose: parse out the type and name from the template resource
|
Purpose: parse out the type and name from the template resource
|
||||||
\*======================================================================*/
|
\*======================================================================*/
|
||||||
function _parse_file_path($file_base_path, $file_path, &$resource_type, &$resource_name) {
|
function _parse_file_path($file_base_path, $file_path, &$resource_type, &$resource_name) {
|
||||||
|
|
||||||
// split tpl_path by the first colon
|
// split tpl_path by the first colon
|
||||||
$file_path_parts = explode(':', $file_path, 2);
|
$file_path_parts = explode(':', $file_path, 2);
|
||||||
@@ -875,10 +880,21 @@ function _parse_file_path($file_base_path, $file_path, &$resource_type, &$resour
|
|||||||
if ($resource_type == 'file') {
|
if ($resource_type == 'file') {
|
||||||
if (!preg_match("/^([\/\\\\]|[a-zA-Z]:[\/\\\\])/", $resource_name)) {
|
if (!preg_match("/^([\/\\\\]|[a-zA-Z]:[\/\\\\])/", $resource_name)) {
|
||||||
// relative pathname to $file_base_path
|
// relative pathname to $file_base_path
|
||||||
$resource_name = $file_base_path.'/'.$resource_name;
|
// use the first directory where the file is found
|
||||||
|
foreach((array)$file_base_path as $curr_path) {
|
||||||
|
if(@is_file($curr_path.'/'.$resource_name)) {
|
||||||
|
$resource_name = $curr_path.'/'.$resource_name;
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// didn't find the file
|
||||||
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
// resource type != file
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/*======================================================================*\
|
/*======================================================================*\
|
||||||
@@ -889,64 +905,50 @@ function _parse_file_path($file_base_path, $file_path, &$resource_type, &$resour
|
|||||||
function _fetch_template_info($tpl_path, &$template_source, &$template_timestamp, $get_source=true)
|
function _fetch_template_info($tpl_path, &$template_source, &$template_timestamp, $get_source=true)
|
||||||
{
|
{
|
||||||
|
|
||||||
$this->_parse_file_path($this->template_dir, $tpl_path, $resource_type, $resource_name);
|
$_return = false;
|
||||||
|
if($this->_parse_file_path($this->template_dir, $tpl_path, $resource_type, $resource_name)) {
|
||||||
if ($this->security && !$this->_is_secure($resource_type, $resource_name) && !$this->_is_trusted($resource_type, $resource_name)) {
|
switch ($resource_type) {
|
||||||
$this->_trigger_error_msg("(secure mode) accessing \"$tpl_path\" is not allowed");
|
case 'file':
|
||||||
return false;
|
if (@is_file($resource_name)) {
|
||||||
}
|
if ($get_source) {
|
||||||
switch ($resource_type) {
|
$template_source = $this->_read_file($resource_name);
|
||||||
case 'file':
|
}
|
||||||
|
$template_timestamp = filemtime($resource_name);
|
||||||
$_is_file = false;
|
$_return = true;
|
||||||
|
}
|
||||||
if (!@is_file($resource_name)) {
|
break;
|
||||||
if(!empty($this->default_template_handler_func)) {
|
default:
|
||||||
if(!function_exists($this->default_template_handler_func)) {
|
if (isset($this->resource_funcs[$resource_type])) {
|
||||||
$this->_trigger_error_msg("default template handler function \"$this->default_template_handler_func\" doesn't exist.");
|
$funcname = $this->resource_funcs[$resource_type];
|
||||||
return false;
|
if (function_exists($funcname)) {
|
||||||
}
|
// call the function to fetch the template
|
||||||
// call default template handler function
|
$_return = $funcname($resource_name, $template_source, $template_timestamp, $get_source, $this);
|
||||||
$funcname = $this->default_template_handler_func;
|
}
|
||||||
if($funcname($resource_type, $resource_name)) {
|
}
|
||||||
// test for file once more
|
break;
|
||||||
if(@is_file($resource_name)) {
|
}
|
||||||
$_is_file = true;
|
}
|
||||||
}
|
if(!$_return) {
|
||||||
}
|
// see if we can get a template with the default template handler
|
||||||
}
|
if(!empty($this->default_template_handler_func)) {
|
||||||
} else {
|
if(!function_exists($this->default_template_handler_func)) {
|
||||||
$_is_file = true;
|
$this->_trigger_error_msg("default template handler function \"$this->default_template_handler_func\" doesn't exist.");
|
||||||
|
$_return = false;
|
||||||
}
|
}
|
||||||
|
$funcname = $this->default_template_handler_func;
|
||||||
|
$_return = $funcname($resource_type, $resource_name, $template_source, $template_timestamp, $this);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if ($_is_file) {
|
if(!$_return) {
|
||||||
if ($get_source) {
|
$this->_trigger_error_msg("unable to read template resource: \"$tpl_path\"");
|
||||||
$template_source = $this->_read_file($resource_name);
|
} elseif ($_return && $this->security && !$this->_is_secure($resource_type, $resource_name) && !$this->_is_trusted($resource_type, $resource_name)) {
|
||||||
}
|
$this->_trigger_error_msg("(secure mode) accessing \"$tpl_path\" is not allowed");
|
||||||
$template_timestamp = filemtime($resource_name);
|
$template_source = null;
|
||||||
} else {
|
$template_timestamp = null;
|
||||||
$this->_trigger_error_msg("unable to read template resource: \"$tpl_path\"");
|
return false;
|
||||||
return false;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
if (isset($this->resource_funcs[$resource_type])) {
|
|
||||||
$funcname = $this->resource_funcs[$resource_type];
|
|
||||||
if (function_exists($funcname)) {
|
|
||||||
// call the function to fetch the template
|
|
||||||
$funcname($resource_name, $template_source, $template_timestamp, $get_source);
|
|
||||||
return true;
|
|
||||||
} else {
|
|
||||||
$this->_trigger_error_msg("resource function: \"$funcname\" does not exist for resource type: \"$resource_type\".");
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
$this->_trigger_error_msg("unknown resource type: \"$resource_type\". Register this resource first.");
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
}
|
}
|
||||||
return true;
|
return $_return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -1042,7 +1044,6 @@ function _parse_file_path($file_base_path, $file_path, &$resource_type, &$resour
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/*======================================================================*\
|
/*======================================================================*\
|
||||||
Function: _config_load
|
Function: _config_load
|
||||||
Purpose: load configuration values
|
Purpose: load configuration values
|
||||||
|
|||||||
@@ -475,6 +475,7 @@ class Smarty_Compiler extends Smarty {
|
|||||||
}
|
}
|
||||||
|
|
||||||
$this->_parse_file_path($this->trusted_dir, $this->_dequote($attrs['file']), $resource_type, $resource_name);
|
$this->_parse_file_path($this->trusted_dir, $this->_dequote($attrs['file']), $resource_type, $resource_name);
|
||||||
|
|
||||||
if ($this->security) {
|
if ($this->security) {
|
||||||
if( $resource_type != 'file' || !@is_file($resource_name)) {
|
if( $resource_type != 'file' || !@is_file($resource_name)) {
|
||||||
$this->_syntax_error("include_php: $resource_type: $resource_name is not readable");
|
$this->_syntax_error("include_php: $resource_type: $resource_name is not readable");
|
||||||
|
|||||||
Reference in New Issue
Block a user