Merge branch 'v2.6.26'

2025-08-05 10:54:27 +02:00 · 2014-10-31 00:57:26 +01:00
parent de8354e152 8bcad8125a
commit ad3e64b890
3 changed files with 45 additions and 27 deletions
--- a/3
+++ b/3
@@ -1,3 +1,6 @@
+- revert super global access changes, and instead rely on
+  USE_SUPER_GLOBALS for security
+
 Version 2.6.25 (May 19th, 2009)
 -------------------------------
 - fix E_NOTICE when sessions are disabled (mohrt)
--- a/libs/Smarty.class.php
+++ b/libs/Smarty.class.php
@@ -562,14 +562,6 @@ class Smarty
     */
    var $_cache_including = false;

-    /**
-     * array of super globals internally
-     *
-     * @var array
-     */
-    var $_supers = array();
-
-
    /**#@-*/
    /**
     * The class constructor.
@@ -578,18 +570,6 @@ class Smarty
    {
      $this->assign('SCRIPT_NAME', isset($_SERVER['SCRIPT_NAME']) ? $_SERVER['SCRIPT_NAME']
                    : @$GLOBALS['HTTP_SERVER_VARS']['SCRIPT_NAME']);
-                    
-      $this->_supers['get'] = $this->request_use_auto_globals ? $_GET : $GLOBALS['HTTP_GET_VARS'];
-      $this->_supers['post'] = $this->request_use_auto_globals ? $_POST : $GLOBALS['HTTP_POST_VARS'];
-      $this->_supers['server'] = $this->request_use_auto_globals ? $_SERVER : $GLOBALS['HTTP_SERVER_VARS'];
-      if(isset($_SESSION))
-        $this->_supers['session'] = $this->request_use_auto_globals ? $_SESSION : $GLOBALS['HTTP_SESSION_VARS'];
-      else
-        $this->_supers['session'] = array();
-      $this->_supers['request'] = $this->request_use_auto_globals ? $_REQUEST : $GLOBALS['HTTP_REQUEST_VARS'];
-      $this->_supers['cookies'] = $this->request_use_auto_globals ? $_COOKIE : $GLOBALS['HTTP_COOKIE_VARS'];
-      $this->_supers['env'] = $this->request_use_auto_globals ? $_ENV : $GLOBALS['HTTP_ENV_VARS'];
-                    
    }

    /**
--- a/libs/Smarty_Compiler.class.php
+++ b/libs/Smarty_Compiler.class.php
@@ -2047,27 +2047,57 @@ class Smarty_Compiler extends Smarty {
                break;

            case 'get':
-                $compiled_ref = "\$this->_supers['get']";
+                if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) {
+                    $this->_syntax_error("(secure mode) super global access not permitted",
+                                         E_USER_WARNING, __FILE__, __LINE__);
+                    return;
+                }
+                $compiled_ref = "\$_GET";
                break;

            case 'post':
-                $compiled_ref = "\$this->_supers['post']";
+                if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) {
+                    $this->_syntax_error("(secure mode) super global access not permitted",
+                                         E_USER_WARNING, __FILE__, __LINE__);
+                    return;
+                }
+                $compiled_ref = "\$_POST";
                break;

            case 'cookies':
-                $compiled_ref = "\$this->_supers['cookies']";
+                if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) {
+                    $this->_syntax_error("(secure mode) super global access not permitted",
+                                         E_USER_WARNING, __FILE__, __LINE__);
+                    return;
+                }
+                $compiled_ref = "\$_COOKIE";
                break;

            case 'env':
-                $compiled_ref = "\$this->_supers['env']";
+                if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) {
+                    $this->_syntax_error("(secure mode) super global access not permitted",
+                                         E_USER_WARNING, __FILE__, __LINE__);
+                    return;
+                }
+                $compiled_ref = "\$_ENV";
                break;

            case 'server':
-                $compiled_ref = "\$this->_supers['server']";
+                if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) {
+                    $this->_syntax_error("(secure mode) super global access not permitted",
+                                         E_USER_WARNING, __FILE__, __LINE__);
+                    return;
+                }
+                $compiled_ref = "\$_SERVER";
                break;

            case 'session':
-                $compiled_ref = "\$this->_supers['session']";
+                if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) {
+                    $this->_syntax_error("(secure mode) super global access not permitted",
+                                         E_USER_WARNING, __FILE__, __LINE__);
+                    return;
+                }
+                $compiled_ref = "\$_SESSION";
                break;

            /*
@@ -2075,8 +2105,13 @@ class Smarty_Compiler extends Smarty {
             * compiler.
             */
            case 'request':
+                if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) {
+                    $this->_syntax_error("(secure mode) super global access not permitted",
+                                         E_USER_WARNING, __FILE__, __LINE__);
+                    return;
+                }
                if ($this->request_use_auto_globals) {
-                    $compiled_ref = "\$this->_supers['request']";
+                    $compiled_ref = "\$_REQUEST";
                    break;
                } else {
                    $this->_init_smarty_vars = true;