smarty-php/smarty
1
0
Fork 0
mirror of https://github.com/smarty-php/smarty.git synced 2025-08-05 02:44:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

- bugfix Smarty_Security->allow_constants=false; did not disallow direct usage of defined constants like {SMARTY_DIR} {forum topic 25457}

Browse Source
This commit is contained in:
Uwe Tews
2015-03-17 02:29:19 +01:00
parent eead9c81e9
commit e7ad5909e5
4 changed files with 2680 additions and 2336 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
change_log.txt
View File

@@ -1,6 +1,7 @@
 ===== 3.1.22-dev ===== (xx.xx.2015)  ===== 3.1.22-dev ===== (xx.xx.2015)
16.03.2015 16.03.2015
- bugfix problems with {function}{/function} and {call} tags in different subtemplate cache files {forum topic 25452} - bugfix problems with {function}{/function} and {call} tags in different subtemplate cache files {forum topic 25452}
- bugfix Smarty_Security->allow_constants=false; did not disallow direct usage of defined constants like {SMARTY_DIR} {forum topic 25457}
15.03.2015 15.03.2015
- bugfix $smarty->compile_check must be restored before rendering of a just updated cache file {forum 25452} - bugfix $smarty->compile_check must be restored before rendering of a just updated cache file {forum 25452}

18
lexer/smarty_internal_templateparser.y
View File

@@ -486,6 +486,9 @@ smartytag(res) ::= LDEL varindexed(vi) EQUAL expr(e) attributes(a). {
// tag with optional Smarty2 style attributes // tag with optional Smarty2 style attributes
smartytag(res) ::= LDEL ID(i) attributes(a). { smartytag(res) ::= LDEL ID(i) attributes(a). {
if (defined(i)) { if (defined(i)) {
if (isset($this->smarty->security_policy) && !$this->smarty->security_policy->allow_constants) {
$this->compiler->trigger_template_error("Security: access to constants not permitted");
}
res = $this->compiler->compileTag('private_print_expression',a,array('value'=>i)); res = $this->compiler->compileTag('private_print_expression',a,array('value'=>i));
} else { } else {
res = $this->compiler->compileTag(i,a); res = $this->compiler->compileTag(i,a);
@@ -493,6 +496,9 @@ smartytag(res) ::= LDEL ID(i) attributes(a). {
} }
smartytag(res) ::= LDEL ID(i). { smartytag(res) ::= LDEL ID(i). {
if (defined(i)) { if (defined(i)) {
if (isset($this->smarty->security_policy) && !$this->smarty->security_policy->allow_constants) {
$this->compiler->trigger_template_error("Security: access to constants not permitted");
}
res = $this->compiler->compileTag('private_print_expression',array(),array('value'=>i)); res = $this->compiler->compileTag('private_print_expression',array(),array('value'=>i));
} else { } else {
res = $this->compiler->compileTag(i,array()); res = $this->compiler->compileTag(i,array());
@@ -503,6 +509,9 @@ smartytag(res) ::= LDEL ID(i). {
// tag with modifier and optional Smarty2 style attributes // tag with modifier and optional Smarty2 style attributes
smartytag(res) ::= LDEL ID(i) modifierlist(l)attributes(a). { smartytag(res) ::= LDEL ID(i) modifierlist(l)attributes(a). {
if (defined(i)) { if (defined(i)) {
if (isset($this->smarty->security_policy) && !$this->smarty->security_policy->allow_constants) {
$this->compiler->trigger_template_error("Security: access to constants not permitted");
}
res = $this->compiler->compileTag('private_print_expression',a,array('value'=>i, 'modifierlist'=>l)); res = $this->compiler->compileTag('private_print_expression',a,array('value'=>i, 'modifierlist'=>l));
} else { } else {
res = '<?php ob_start();?>'.$this->compiler->compileTag(i,a).'<?php echo '; res = '<?php ob_start();?>'.$this->compiler->compileTag(i,a).'<?php echo ';
@@ -647,6 +656,9 @@ attributes(res) ::= . {
// attribute // attribute
attribute(res) ::= SPACE ID(v) EQUAL ID(id). { attribute(res) ::= SPACE ID(v) EQUAL ID(id). {
if (defined(id)) { if (defined(id)) {
if (isset($this->smarty->security_policy) && !$this->smarty->security_policy->allow_constants) {
$this->compiler->trigger_template_error("Security: access to constants not permitted");
}
res = array(v=>id); res = array(v=>id);
} else { } else {
res = array(v=>"'".id."'"); res = array(v=>"'".id."'");
@@ -868,6 +880,9 @@ value(res) ::= DOT INTEGER(n1). {
// ID, true, false, null // ID, true, false, null
value(res) ::= ID(id). { value(res) ::= ID(id). {
if (defined(id)) { if (defined(id)) {
if (isset($this->smarty->security_policy) && !$this->smarty->security_policy->allow_constants) {
$this->compiler->trigger_template_error("Security: access to constants not permitted");
}
res = id; res = id;
} else { } else {
res = "'".id."'"; res = "'".id."'";
@@ -1025,6 +1040,9 @@ indexdef(res) ::= DOT DOLLAR varvar(v) AT ID(p). {
indexdef(res) ::= DOT ID(i). { indexdef(res) ::= DOT ID(i). {
if (defined(i)) { if (defined(i)) {
if (isset($this->smarty->security_policy) && !$this->smarty->security_policy->allow_constants) {
$this->compiler->trigger_template_error("Security: access to constants not permitted");
}
res = "[". i ."]"; res = "[". i ."]";
} else { } else {
res = "['". i ."']"; res = "['". i ."']";

2
libs/Smarty.class.php
View File

@@ -111,7 +111,7 @@ class Smarty extends Smarty_Internal_TemplateBase
/** /**
* smarty version * smarty version
*/ */
const SMARTY_VERSION = '3.1.22-dev/10'; const SMARTY_VERSION = '3.1.22-dev/11';
/** /**
* define variable scopes * define variable scopes

2301
libs/sysplugins/smarty_internal_templateparser.php
View File

File diff suppressed because it is too large Load Diff