smarty-php/smarty
1
0
Fork 0
mirror of https://github.com/smarty-php/smarty.git synced 2025-08-04 10:24:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

update trusted logic

Browse Source
This commit is contained in:
mohrt
2001-12-04 16:25:32 +00:00
parent b9916deb68
commit 950f460a25
2 changed files with 22 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
Smarty.class.php
View File

@@ -101,7 +101,7 @@ class Smarty
// fetches. true/false default true. // fetches. true/false default true.
var $cache_handler_func = ''; // function used for cached content. this is var $cache_handler_func = ''; // function used for cached content. this is
// an alternative to using the built-in file // an alternative to using the built-in file
// based caching. See docs for usage. // based caching.
var $tpl_file_ext = '.tpl'; // template file extention (deprecated) var $tpl_file_ext = '.tpl'; // template file extention (deprecated)
@@ -127,9 +127,9 @@ class Smarty
'PHP_TAGS' => false, 'PHP_TAGS' => false,
'MODIFIER_FUNCS' => array('count') 'MODIFIER_FUNCS' => array('count')
); );
var $trusted_dir = array(); // array of directories where trusted templates var $trusted_dir = ''; // directory where trusted templates
// reside ($security is disabled during their // reside ($security is disabled during their
// execution). // execution).
var $left_delimiter = '{'; // template tag delimiters. var $left_delimiter = '{'; // template tag delimiters.
var $right_delimiter = '}'; var $right_delimiter = '}';
@@ -220,13 +220,11 @@ class Smarty
$this->config_dir = SMARTY_DIR.$this->config_dir; $this->config_dir = SMARTY_DIR.$this->config_dir;
$this->compile_dir = SMARTY_DIR.$this->compile_dir; $this->compile_dir = SMARTY_DIR.$this->compile_dir;
$this->cache_dir = SMARTY_DIR.$this->cache_dir; $this->cache_dir = SMARTY_DIR.$this->cache_dir;
$this->trusted_dir = SMARTY_DIR.$this->trusted_dir;
for ($x=0; $x < count($this->secure_dir); $x++) { for ($x=0; $x < count($this->secure_dir); $x++) {
$this->secure_dir[$x] = SMARTY_DIR.$this->secure_dir[$x]; $this->secure_dir[$x] = SMARTY_DIR.$this->secure_dir[$x];
} }
for ($x=0; $x < count($this->trusted_dir); $x++) {
$this->trusted_dir[$x] = SMARTY_DIR.$this->trusted_dir[$x];
}
} }
foreach ($this->global_assign as $key => $var_name) { foreach ($this->global_assign as $key => $var_name) {
@@ -729,24 +727,20 @@ function _generate_debug_output() {
/*======================================================================*\ /*======================================================================*\
Function: _is_trusted() Function: _is_trusted()
Purpose: determins if a template is trusted or not. If trusted, Purpose: determines if a template is within the trusted_dir or not.
$security is disabled during its execution.
\*======================================================================*/ \*======================================================================*/
function _is_trusted($resource_type, $resource_name) { function _is_trusted($resource_type, $resource_name) {
$_smarty_trusted = false; $_smarty_trusted = false;
if ($this->security && !empty($this->trusted_dir)) { if (!empty($this->trusted_dir)) {
// see if template file is within a trusted directory. If so, // see if template file is within a trusted directory. If so,
// disable security during the execution of the template. // disable security during the execution of the template.
if ($resource_type == 'file') { if ($resource_type == 'file') {
foreach ($this->trusted_dir as $curr_dir) { if (is_readable ($this->trusted_dir)) {
if ( !empty($curr_dir) && is_readable ($curr_dir)) { if (substr(realpath($resource_name),0, strlen(realpath($this->trusted_dir))) == realpath($this->trusted_dir)) {
if (substr(realpath($resource_name),0, strlen(realpath($curr_dir))) == realpath($curr_dir)) { $_smarty_trusted = true;
$_smarty_trusted = true; }
break;
}
}
} }
} else { } else {
// resource is not on local file system // resource is not on local file system

28
libs/Smarty.class.php
View File

@@ -101,7 +101,7 @@ class Smarty
// fetches. true/false default true. // fetches. true/false default true.
var $cache_handler_func = ''; // function used for cached content. this is var $cache_handler_func = ''; // function used for cached content. this is
// an alternative to using the built-in file // an alternative to using the built-in file
// based caching. See docs for usage. // based caching.
var $tpl_file_ext = '.tpl'; // template file extention (deprecated) var $tpl_file_ext = '.tpl'; // template file extention (deprecated)
@@ -127,9 +127,9 @@ class Smarty
'PHP_TAGS' => false, 'PHP_TAGS' => false,
'MODIFIER_FUNCS' => array('count') 'MODIFIER_FUNCS' => array('count')
); );
var $trusted_dir = array(); // array of directories where trusted templates var $trusted_dir = ''; // directory where trusted templates
// reside ($security is disabled during their // reside ($security is disabled during their
// execution). // execution).
var $left_delimiter = '{'; // template tag delimiters. var $left_delimiter = '{'; // template tag delimiters.
var $right_delimiter = '}'; var $right_delimiter = '}';
@@ -220,13 +220,11 @@ class Smarty
$this->config_dir = SMARTY_DIR.$this->config_dir; $this->config_dir = SMARTY_DIR.$this->config_dir;
$this->compile_dir = SMARTY_DIR.$this->compile_dir; $this->compile_dir = SMARTY_DIR.$this->compile_dir;
$this->cache_dir = SMARTY_DIR.$this->cache_dir; $this->cache_dir = SMARTY_DIR.$this->cache_dir;
$this->trusted_dir = SMARTY_DIR.$this->trusted_dir;
for ($x=0; $x < count($this->secure_dir); $x++) { for ($x=0; $x < count($this->secure_dir); $x++) {
$this->secure_dir[$x] = SMARTY_DIR.$this->secure_dir[$x]; $this->secure_dir[$x] = SMARTY_DIR.$this->secure_dir[$x];
} }
for ($x=0; $x < count($this->trusted_dir); $x++) {
$this->trusted_dir[$x] = SMARTY_DIR.$this->trusted_dir[$x];
}
} }
foreach ($this->global_assign as $key => $var_name) { foreach ($this->global_assign as $key => $var_name) {
@@ -729,24 +727,20 @@ function _generate_debug_output() {
/*======================================================================*\ /*======================================================================*\
Function: _is_trusted() Function: _is_trusted()
Purpose: determins if a template is trusted or not. If trusted, Purpose: determines if a template is within the trusted_dir or not.
$security is disabled during its execution.
\*======================================================================*/ \*======================================================================*/
function _is_trusted($resource_type, $resource_name) { function _is_trusted($resource_type, $resource_name) {
$_smarty_trusted = false; $_smarty_trusted = false;
if ($this->security && !empty($this->trusted_dir)) { if (!empty($this->trusted_dir)) {
// see if template file is within a trusted directory. If so, // see if template file is within a trusted directory. If so,
// disable security during the execution of the template. // disable security during the execution of the template.
if ($resource_type == 'file') { if ($resource_type == 'file') {
foreach ($this->trusted_dir as $curr_dir) { if (is_readable ($this->trusted_dir)) {
if ( !empty($curr_dir) && is_readable ($curr_dir)) { if (substr(realpath($resource_name),0, strlen(realpath($this->trusted_dir))) == realpath($this->trusted_dir)) {
if (substr(realpath($resource_name),0, strlen(realpath($curr_dir))) == realpath($curr_dir)) { $_smarty_trusted = true;
$_smarty_trusted = true; }
break;
}
}
} }
} else { } else {
// resource is not on local file system // resource is not on local file system