From c81d1eb8396e7153717c6fc72f1392f5543118df Mon Sep 17 00:00:00 2001 From: andrey Date: Tue, 11 Dec 2001 21:34:22 +0000 Subject: [PATCH] Added 'script' attribute to {insert..}. --- NEWS | 4 +++- Smarty.class.php | 31 ++++++++++++++++++++++++++++++- libs/Smarty.class.php | 31 ++++++++++++++++++++++++++++++- 3 files changed, 63 insertions(+), 3 deletions(-) diff --git a/NEWS b/NEWS index 241aa858..c280ec1f 100644 --- a/NEWS +++ b/NEWS @@ -1,4 +1,6 @@ - - added default template function handler (Monte) + - added 'script' attribute to {insert..} which specifies the script that + the insert function can be found in. (Andrei) + - added default template function handler. (Monte) Version 1.5.1 ------------- diff --git a/Smarty.class.php b/Smarty.class.php index 62609d93..48d05095 100644 --- a/Smarty.class.php +++ b/Smarty.class.php @@ -100,7 +100,7 @@ class Smarty // this will tell Smarty not to look for // insert tags, thus speeding up cached page // fetches. true/false default true. - var $cache_handler_func = 'make_tpl'; // function used for cached content. this is + var $cache_handler_func = null; // function used for cached content. this is // an alternative to using the built-in file // based caching. @@ -1115,6 +1115,21 @@ function _parse_file_path($file_base_path, $file_path, &$resource_type, &$resour $name = $args['name']; unset($args['name']); + if (isset($args['script'])) { + $this->_parse_file_path($this->trusted_dir, $this->_dequote($args['script']), $resource_type, $resource_name); + if ($this->security) { + if( $resource_type != 'file' || !@is_file($resource_name)) { + $this->_syntax_error("include_php: $resource_type: $resource_name is not readable"); return false; + } + if (!$this->_is_trusted($resource_type, $resource_name)) { + $this->_syntax_error("include_php: $resource_type: $resource_name is not trusted"); + return false; + } + } + include_once($resource_name); + unset($args['script']); + } + $function_name = 'insert_' . $name; $replace = $function_name($args, $this); @@ -1146,6 +1161,20 @@ function _run_insert_handler($args) return $this->_smarty_md5."{insert_cache $arg_string}".$this->_smarty_md5; } else { $function_name = 'insert_'.$args['name']; + if (isset($args['script'])) { + $this->_parse_file_path($this->trusted_dir, $this->_dequote($args['script']), $resource_type, $resource_name); + if ($this->security) { + if( $resource_type != 'file' || !@is_file($resource_name)) { + $this->_syntax_error("include_php: $resource_type: $resource_name is not readable"); return false; + } + if (!$this->_is_trusted($resource_type, $resource_name)) { + $this->_syntax_error("include_php: $resource_type: $resource_name is not trusted"); + return false; + } + } + include_once($resource_name); + } + $content = $function_name($args, $this); if ($this->debugging) { $this->_smarty_debug_info[] = array('type' => 'insert', diff --git a/libs/Smarty.class.php b/libs/Smarty.class.php index 62609d93..48d05095 100644 --- a/libs/Smarty.class.php +++ b/libs/Smarty.class.php @@ -100,7 +100,7 @@ class Smarty // this will tell Smarty not to look for // insert tags, thus speeding up cached page // fetches. true/false default true. - var $cache_handler_func = 'make_tpl'; // function used for cached content. this is + var $cache_handler_func = null; // function used for cached content. this is // an alternative to using the built-in file // based caching. @@ -1115,6 +1115,21 @@ function _parse_file_path($file_base_path, $file_path, &$resource_type, &$resour $name = $args['name']; unset($args['name']); + if (isset($args['script'])) { + $this->_parse_file_path($this->trusted_dir, $this->_dequote($args['script']), $resource_type, $resource_name); + if ($this->security) { + if( $resource_type != 'file' || !@is_file($resource_name)) { + $this->_syntax_error("include_php: $resource_type: $resource_name is not readable"); return false; + } + if (!$this->_is_trusted($resource_type, $resource_name)) { + $this->_syntax_error("include_php: $resource_type: $resource_name is not trusted"); + return false; + } + } + include_once($resource_name); + unset($args['script']); + } + $function_name = 'insert_' . $name; $replace = $function_name($args, $this); @@ -1146,6 +1161,20 @@ function _run_insert_handler($args) return $this->_smarty_md5."{insert_cache $arg_string}".$this->_smarty_md5; } else { $function_name = 'insert_'.$args['name']; + if (isset($args['script'])) { + $this->_parse_file_path($this->trusted_dir, $this->_dequote($args['script']), $resource_type, $resource_name); + if ($this->security) { + if( $resource_type != 'file' || !@is_file($resource_name)) { + $this->_syntax_error("include_php: $resource_type: $resource_name is not readable"); return false; + } + if (!$this->_is_trusted($resource_type, $resource_name)) { + $this->_syntax_error("include_php: $resource_type: $resource_name is not trusted"); + return false; + } + } + include_once($resource_name); + } + $content = $function_name($args, $this); if ($this->debugging) { $this->_smarty_debug_info[] = array('type' => 'insert',