smarty-php/smarty
1
0
Fork 0
mirror of https://github.com/smarty-php/smarty.git synced 2025-08-05 19:04:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

- bugfix Smarty_Security->allow_constants=false; did also disable true, false and null (change of 16.03.2015)

Browse Source 
- improvement added a whitelist for trusted constants to security Smarty_Security::$trusted_constants (forum topic 25471)
This commit is contained in:
Uwe Tews
2015-03-28 03:58:08 +01:00
parent 443ae8c216
commit ea2a566b1f
5 changed files with 71 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
NEW_FEATURES.txt
View File

@@ -50,6 +50,15 @@ Smarty 3.1.22
the setting of $static_classes will be checked. the setting of $static_classes will be checked.
Note: That this security check is performed at compile time. Note: That this security check is performed at compile time.
- trusted constants .
The Smarty_Security class has the new property $trusted_constants to restrict access to constants.
It's an array of trusted constant names.
Format:
array (
'SMARTY_DIR' , // allowed constant
}
If the array is empty (default) the usage of constants can be controlled with the
Smarty_Security::$allow_constants property (default true)

6
change_log.txt
View File

@@ -1,7 +1,7 @@
 ===== 3.1.22-dev ===== (xx.xx.2015)  ===== 3.1.22-dev ===== (xx.xx.2015)
23.03.2015 27.03.2015
- bugfix problems when {function}{/function} defined a template function in a cached subtemplate and it was called {call} - bugfix Smarty_Security->allow_constants=false; did also disable true, false and null (change of 16.03.2015)
from a not cached subtemplate {forum topic 25468} - improvement added a whitelist for trusted constants to security Smarty_Security::$trusted_constants (forum topic 25471)
20.03.2015 20.03.2015
- bugfix make sure that function properties get saved only in compiled files containing the fuction definition {forum topic 25452} - bugfix make sure that function properties get saved only in compiled files containing the fuction definition {forum topic 25452}

24
lexer/smarty_internal_templateparser.y
View File

@@ -486,8 +486,8 @@ smartytag(res) ::= LDEL varindexed(vi) EQUAL expr(e) attributes(a). {
// tag with optional Smarty2 style attributes // tag with optional Smarty2 style attributes
smartytag(res) ::= LDEL ID(i) attributes(a). { smartytag(res) ::= LDEL ID(i) attributes(a). {
if (defined(i)) { if (defined(i)) {
if (isset($this->smarty->security_policy) && !$this->smarty->security_policy->allow_constants) { if (isset($this->smarty->security_policy)) {
$this->compiler->trigger_template_error("Security: access to constants not permitted"); $this->smarty->security_policy->isTrustedConstant(i, $this->compiler);
} }
res = $this->compiler->compileTag('private_print_expression',a,array('value'=>i)); res = $this->compiler->compileTag('private_print_expression',a,array('value'=>i));
} else { } else {
@@ -496,8 +496,8 @@ smartytag(res) ::= LDEL ID(i) attributes(a). {
} }
smartytag(res) ::= LDEL ID(i). { smartytag(res) ::= LDEL ID(i). {
if (defined(i)) { if (defined(i)) {
if (isset($this->smarty->security_policy) && !$this->smarty->security_policy->allow_constants) { if (isset($this->smarty->security_policy)) {
$this->compiler->trigger_template_error("Security: access to constants not permitted"); $this->smarty->security_policy->isTrustedConstant(i, $this->compiler);
} }
res = $this->compiler->compileTag('private_print_expression',array(),array('value'=>i)); res = $this->compiler->compileTag('private_print_expression',array(),array('value'=>i));
} else { } else {
@@ -509,8 +509,8 @@ smartytag(res) ::= LDEL ID(i). {
// tag with modifier and optional Smarty2 style attributes // tag with modifier and optional Smarty2 style attributes
smartytag(res) ::= LDEL ID(i) modifierlist(l)attributes(a). { smartytag(res) ::= LDEL ID(i) modifierlist(l)attributes(a). {
if (defined(i)) { if (defined(i)) {
if (isset($this->smarty->security_policy) && !$this->smarty->security_policy->allow_constants) { if (isset($this->smarty->security_policy)) {
$this->compiler->trigger_template_error("Security: access to constants not permitted"); $this->smarty->security_policy->isTrustedConstant(i, $this->compiler);
} }
res = $this->compiler->compileTag('private_print_expression',a,array('value'=>i, 'modifierlist'=>l)); res = $this->compiler->compileTag('private_print_expression',a,array('value'=>i, 'modifierlist'=>l));
} else { } else {
@@ -656,8 +656,8 @@ attributes(res) ::= . {
// attribute // attribute
attribute(res) ::= SPACE ID(v) EQUAL ID(id). { attribute(res) ::= SPACE ID(v) EQUAL ID(id). {
if (defined(id)) { if (defined(id)) {
if (isset($this->smarty->security_policy) && !$this->smarty->security_policy->allow_constants) { if (isset($this->smarty->security_policy)) {
$this->compiler->trigger_template_error("Security: access to constants not permitted"); $this->smarty->security_policy->isTrustedConstant(id, $this->compiler);
} }
res = array(v=>id); res = array(v=>id);
} else { } else {
@@ -880,8 +880,8 @@ value(res) ::= DOT INTEGER(n1). {
// ID, true, false, null // ID, true, false, null
value(res) ::= ID(id). { value(res) ::= ID(id). {
if (defined(id)) { if (defined(id)) {
if (isset($this->smarty->security_policy) && !$this->smarty->security_policy->allow_constants) { if (isset($this->smarty->security_policy)) {
$this->compiler->trigger_template_error("Security: access to constants not permitted"); $this->smarty->security_policy->isTrustedConstant(id, $this->compiler);
} }
res = id; res = id;
} else { } else {
@@ -1040,8 +1040,8 @@ indexdef(res) ::= DOT DOLLAR varvar(v) AT ID(p). {
indexdef(res) ::= DOT ID(i). { indexdef(res) ::= DOT ID(i). {
if (defined(i)) { if (defined(i)) {
if (isset($this->smarty->security_policy) && !$this->smarty->security_policy->allow_constants) { if (isset($this->smarty->security_policy)) {
$this->compiler->trigger_template_error("Security: access to constants not permitted"); $this->smarty->security_policy->isTrustedConstant(i, $this->compiler);
} }
res = "[". i ."]"; res = "[". i ."]";
} else { } else {

24
libs/sysplugins/smarty_internal_templateparser.php
View File

@@ -2549,8 +2549,8 @@ class Smarty_Internal_Templateparser
function yy_r32() function yy_r32()
{ {
if (defined($this->yystack[$this->yyidx + - 1]->minor)) { if (defined($this->yystack[$this->yyidx + - 1]->minor)) {
if (isset($this->smarty->security_policy) && !$this->smarty->security_policy->allow_constants) { if (isset($this->smarty->security_policy)) {
$this->compiler->trigger_template_error("Security: access to constants not permitted"); $this->smarty->security_policy->isTrustedConstant($this->yystack[$this->yyidx + - 1]->minor, $this->compiler);
} }
$this->_retvalue = $this->compiler->compileTag('private_print_expression', $this->yystack[$this->yyidx + 0]->minor, array('value' => $this->yystack[$this->yyidx + - 1]->minor)); $this->_retvalue = $this->compiler->compileTag('private_print_expression', $this->yystack[$this->yyidx + 0]->minor, array('value' => $this->yystack[$this->yyidx + - 1]->minor));
} else { } else {
@@ -2562,8 +2562,8 @@ class Smarty_Internal_Templateparser
function yy_r33() function yy_r33()
{ {
if (defined($this->yystack[$this->yyidx + 0]->minor)) { if (defined($this->yystack[$this->yyidx + 0]->minor)) {
if (isset($this->smarty->security_policy) && !$this->smarty->security_policy->allow_constants) { if (isset($this->smarty->security_policy)) {
$this->compiler->trigger_template_error("Security: access to constants not permitted"); $this->smarty->security_policy->isTrustedConstant($this->yystack[$this->yyidx + 0]->minor, $this->compiler);
} }
$this->_retvalue = $this->compiler->compileTag('private_print_expression', array(), array('value' => $this->yystack[$this->yyidx + 0]->minor)); $this->_retvalue = $this->compiler->compileTag('private_print_expression', array(), array('value' => $this->yystack[$this->yyidx + 0]->minor));
} else { } else {
@@ -2575,8 +2575,8 @@ class Smarty_Internal_Templateparser
function yy_r34() function yy_r34()
{ {
if (defined($this->yystack[$this->yyidx + - 2]->minor)) { if (defined($this->yystack[$this->yyidx + - 2]->minor)) {
if (isset($this->smarty->security_policy) && !$this->smarty->security_policy->allow_constants) { if (isset($this->smarty->security_policy)) {
$this->compiler->trigger_template_error("Security: access to constants not permitted"); $this->smarty->security_policy->isTrustedConstant($this->yystack[$this->yyidx + - 2]->minor, $this->compiler);
} }
$this->_retvalue = $this->compiler->compileTag('private_print_expression', $this->yystack[$this->yyidx + 0]->minor, array('value' => $this->yystack[$this->yyidx + - 2]->minor, 'modifierlist' => $this->yystack[$this->yyidx + - 1]->minor)); $this->_retvalue = $this->compiler->compileTag('private_print_expression', $this->yystack[$this->yyidx + 0]->minor, array('value' => $this->yystack[$this->yyidx + - 2]->minor, 'modifierlist' => $this->yystack[$this->yyidx + - 1]->minor));
} else { } else {
@@ -2733,8 +2733,8 @@ class Smarty_Internal_Templateparser
function yy_r61() function yy_r61()
{ {
if (defined($this->yystack[$this->yyidx + 0]->minor)) { if (defined($this->yystack[$this->yyidx + 0]->minor)) {
if (isset($this->smarty->security_policy) && !$this->smarty->security_policy->allow_constants) { if (isset($this->smarty->security_policy)) {
$this->compiler->trigger_template_error("Security: access to constants not permitted"); $this->smarty->security_policy->isTrustedConstant($this->yystack[$this->yyidx + 0]->minor, $this->compiler);
} }
$this->_retvalue = array($this->yystack[$this->yyidx + - 2]->minor => $this->yystack[$this->yyidx + 0]->minor); $this->_retvalue = array($this->yystack[$this->yyidx + - 2]->minor => $this->yystack[$this->yyidx + 0]->minor);
} else { } else {
@@ -2891,8 +2891,8 @@ class Smarty_Internal_Templateparser
function yy_r108() function yy_r108()
{ {
if (defined($this->yystack[$this->yyidx + 0]->minor)) { if (defined($this->yystack[$this->yyidx + 0]->minor)) {
if (isset($this->smarty->security_policy) && !$this->smarty->security_policy->allow_constants) { if (isset($this->smarty->security_policy)) {
$this->compiler->trigger_template_error("Security: access to constants not permitted"); $this->smarty->security_policy->isTrustedConstant($this->yystack[$this->yyidx + 0]->minor, $this->compiler);
} }
$this->_retvalue = $this->yystack[$this->yyidx + 0]->minor; $this->_retvalue = $this->yystack[$this->yyidx + 0]->minor;
} else { } else {
@@ -3012,8 +3012,8 @@ class Smarty_Internal_Templateparser
function yy_r133() function yy_r133()
{ {
if (defined($this->yystack[$this->yyidx + 0]->minor)) { if (defined($this->yystack[$this->yyidx + 0]->minor)) {
if (isset($this->smarty->security_policy) && !$this->smarty->security_policy->allow_constants) { if (isset($this->smarty->security_policy)) {
$this->compiler->trigger_template_error("Security: access to constants not permitted"); $this->smarty->security_policy->isTrustedConstant($this->yystack[$this->yyidx + 0]->minor, $this->compiler);
} }
$this->_retvalue = "[" . $this->yystack[$this->yyidx + 0]->minor . "]"; $this->_retvalue = "[" . $this->yystack[$this->yyidx + 0]->minor . "]";
} else { } else {

33
libs/sysplugins/smarty_security.php
View File

@@ -54,6 +54,12 @@ class Smarty_Security
* @var array * @var array
*/ */
public $trusted_uri = array(); public $trusted_uri = array();
/**
* List of trusted constants names
*
* @var array
*/
public $trusted_constants = array();
/** /**
* This is an array of trusted static classes. * This is an array of trusted static classes.
* If empty access to all static classes is allowed. * If empty access to all static classes is allowed.
@@ -410,6 +416,33 @@ class Smarty_Security
return false; // should not, but who knows what happens to the compiler in the future? return false; // should not, but who knows what happens to the compiler in the future?
} }
/**
* Check if constants are enabled or trusted
*
* @param string $const contant name
* @param object $compiler compiler object
*
* @return bool
*/
public function isTrustedConstant($const, $compiler)
{
if (in_array($const, array('true', 'false', 'null'))) {
return true;
}
if (!empty($this->trusted_constants)) {
if (!in_array($const, $this->trusted_constants)) {
$compiler->trigger_template_error("Security: access to constant '{$const}' not permitted");
return false;
}
return true;
}
if ($this->allow_constants) {
return true;
}
$compiler->trigger_template_error("Security: access to constants not permitted");
return false;
}
/** /**
* Check if stream is trusted. * Check if stream is trusted.
* *