smarty-php/smarty
1
0
Fork 0
mirror of https://github.com/smarty-php/smarty.git synced 2026-05-04 03:40:53 +02:00
Code Issues Packages Projects Releases Wiki Activity

- bugfix Smarty_Security->allow_constants=false; did also disable true, false and null (change of 16.03.2015)

Browse Source 
- improvement added a whitelist for trusted constants to security Smarty_Security::$trusted_constants (forum topic 25471)
This commit is contained in:
Uwe Tews
2015-03-28 03:58:08 +01:00
parent 443ae8c216
commit ea2a566b1f
5 changed files with 71 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files
libs/sysplugins/smarty_internal_templateparser.php
+12 -12
View File
@@ -2549,8 +2549,8 @@ class Smarty_Internal_Templateparser
function yy_r32()
{
if (defined($this->yystack[$this->yyidx + - 1]->minor)) {
if (isset($this->smarty->security_policy) && !$this->smarty->security_policy->allow_constants) {
$this->compiler->trigger_template_error("Security: access to constants not permitted");
if (isset($this->smarty->security_policy)) {
$this->smarty->security_policy->isTrustedConstant($this->yystack[$this->yyidx + - 1]->minor, $this->compiler);
}
$this->_retvalue = $this->compiler->compileTag('private_print_expression', $this->yystack[$this->yyidx + 0]->minor, array('value' => $this->yystack[$this->yyidx + - 1]->minor));
} else {
@@ -2562,8 +2562,8 @@ class Smarty_Internal_Templateparser
function yy_r33()
{
if (defined($this->yystack[$this->yyidx + 0]->minor)) {
if (isset($this->smarty->security_policy) && !$this->smarty->security_policy->allow_constants) {
$this->compiler->trigger_template_error("Security: access to constants not permitted");
if (isset($this->smarty->security_policy)) {
$this->smarty->security_policy->isTrustedConstant($this->yystack[$this->yyidx + 0]->minor, $this->compiler);
}
$this->_retvalue = $this->compiler->compileTag('private_print_expression', array(), array('value' => $this->yystack[$this->yyidx + 0]->minor));
} else {
@@ -2575,8 +2575,8 @@ class Smarty_Internal_Templateparser
function yy_r34()
{
if (defined($this->yystack[$this->yyidx + - 2]->minor)) {
if (isset($this->smarty->security_policy) && !$this->smarty->security_policy->allow_constants) {
$this->compiler->trigger_template_error("Security: access to constants not permitted");
if (isset($this->smarty->security_policy)) {
$this->smarty->security_policy->isTrustedConstant($this->yystack[$this->yyidx + - 2]->minor, $this->compiler);
}
$this->_retvalue = $this->compiler->compileTag('private_print_expression', $this->yystack[$this->yyidx + 0]->minor, array('value' => $this->yystack[$this->yyidx + - 2]->minor, 'modifierlist' => $this->yystack[$this->yyidx + - 1]->minor));
} else {
@@ -2733,8 +2733,8 @@ class Smarty_Internal_Templateparser
function yy_r61()
{
if (defined($this->yystack[$this->yyidx + 0]->minor)) {
if (isset($this->smarty->security_policy) && !$this->smarty->security_policy->allow_constants) {
$this->compiler->trigger_template_error("Security: access to constants not permitted");
if (isset($this->smarty->security_policy)) {
$this->smarty->security_policy->isTrustedConstant($this->yystack[$this->yyidx + 0]->minor, $this->compiler);
}
$this->_retvalue = array($this->yystack[$this->yyidx + - 2]->minor => $this->yystack[$this->yyidx + 0]->minor);
} else {
@@ -2891,8 +2891,8 @@ class Smarty_Internal_Templateparser
function yy_r108()
{
if (defined($this->yystack[$this->yyidx + 0]->minor)) {
if (isset($this->smarty->security_policy) && !$this->smarty->security_policy->allow_constants) {
$this->compiler->trigger_template_error("Security: access to constants not permitted");
if (isset($this->smarty->security_policy)) {
$this->smarty->security_policy->isTrustedConstant($this->yystack[$this->yyidx + 0]->minor, $this->compiler);
}
$this->_retvalue = $this->yystack[$this->yyidx + 0]->minor;
} else {
@@ -3012,8 +3012,8 @@ class Smarty_Internal_Templateparser
function yy_r133()
{
if (defined($this->yystack[$this->yyidx + 0]->minor)) {
if (isset($this->smarty->security_policy) && !$this->smarty->security_policy->allow_constants) {
$this->compiler->trigger_template_error("Security: access to constants not permitted");
if (isset($this->smarty->security_policy)) {
$this->smarty->security_policy->isTrustedConstant($this->yystack[$this->yyidx + 0]->minor, $this->compiler);
}
$this->_retvalue = "[" . $this->yystack[$this->yyidx + 0]->minor . "]";
} else {