diff options
| author | Uwe Tews <uwe.tews@googlemail.com> | 2014-12-29 21:59:23 +0100 |
|---|---|---|
| committer | Uwe Tews <uwe.tews@googlemail.com> | 2014-12-29 21:59:23 +0100 |
| commit | 1da50aa61db8257082c97e6e37ffbfcb9b4d13a8 (patch) | |
| tree | 9f15d1005ffae2944d17af0855ed76ae8bfa9a87 /libs/sysplugins/smarty_internal_compile_private_special_variable.php | |
| parent | 49a3427515999f4fb39d5cd916bcb907f3c309b4 (diff) | |
| download | smarty-1da50aa61db8257082c97e6e37ffbfcb9b4d13a8.tar.gz smarty-1da50aa61db8257082c97e6e37ffbfcb9b4d13a8.tar.bz2 smarty-1da50aa61db8257082c97e6e37ffbfcb9b4d13a8.zip | |
security can now disable special $smarty variables
see also NEW_FEATURES.txt
Diffstat (limited to 'libs/sysplugins/smarty_internal_compile_private_special_variable.php')
| -rw-r--r-- | libs/sysplugins/smarty_internal_compile_private_special_variable.php | 133 |
1 files changed, 67 insertions, 66 deletions
diff --git a/libs/sysplugins/smarty_internal_compile_private_special_variable.php b/libs/sysplugins/smarty_internal_compile_private_special_variable.php index 1b6cf375..a4b8d208 100644 --- a/libs/sysplugins/smarty_internal_compile_private_special_variable.php +++ b/libs/sysplugins/smarty_internal_compile_private_special_variable.php @@ -30,88 +30,89 @@ class Smarty_Internal_Compile_Private_Special_Variable extends Smarty_Internal_C $_index = preg_split("/\]\[/", substr($parameter, 1, strlen($parameter) - 2)); $compiled_ref = ' '; $variable = trim($_index[0], "'"); - switch ($variable) { - case 'foreach': - return "\$_smarty_tpl->getVariable('smarty')->value$parameter"; - case 'section': - return "\$_smarty_tpl->getVariable('smarty')->value$parameter"; - case 'capture': - return "Smarty::\$_smarty_vars$parameter"; - case 'now': - return 'time()'; - case 'cookies': - if (isset($compiler->smarty->security_policy) && !$compiler->smarty->security_policy->allow_super_globals) { - $compiler->trigger_template_error("(secure mode) super globals not permitted"); + if (!isset($compiler->smarty->security_policy) || $compiler->smarty->security_policy->isTrustedSpecialSmartyVar($variable, $compiler)) { + switch ($variable) { + case 'foreach': + return "\$_smarty_tpl->getVariable('smarty')->value$parameter"; + case 'section': + return "\$_smarty_tpl->getVariable('smarty')->value$parameter"; + case 'capture': + return "Smarty::\$_smarty_vars$parameter"; + case 'now': + return 'time()'; + case 'cookies': + if (isset($compiler->smarty->security_policy) && !$compiler->smarty->security_policy->allow_super_globals) { + $compiler->trigger_template_error("(secure mode) super globals not permitted"); + break; + } + $compiled_ref = '$_COOKIE'; break; - } - $compiled_ref = '$_COOKIE'; - break; - case 'get': - case 'post': - case 'env': - case 'server': - case 'session': - case 'request': - if (isset($compiler->smarty->security_policy) && !$compiler->smarty->security_policy->allow_super_globals) { - $compiler->trigger_template_error("(secure mode) super globals not permitted"); + case 'get': + case 'post': + case 'env': + case 'server': + case 'session': + case 'request': + if (isset($compiler->smarty->security_policy) && !$compiler->smarty->security_policy->allow_super_globals) { + $compiler->trigger_template_error("(secure mode) super globals not permitted"); + break; + } + $compiled_ref = '$_' . strtoupper($variable); break; - } - $compiled_ref = '$_' . strtoupper($variable); - break; - case 'template': - return 'basename($_smarty_tpl->source->filepath)'; + case 'template': + return 'basename($_smarty_tpl->source->filepath)'; - case 'template_object': - return '$_smarty_tpl'; + case 'template_object': + return '$_smarty_tpl'; - case 'current_dir': - return 'dirname($_smarty_tpl->source->filepath)'; + case 'current_dir': + return 'dirname($_smarty_tpl->source->filepath)'; - case 'version': - $_version = Smarty::SMARTY_VERSION; + case 'version': + $_version = Smarty::SMARTY_VERSION; - return "'$_version'"; + return "'$_version'"; - case 'const': - if (isset($compiler->smarty->security_policy) && !$compiler->smarty->security_policy->allow_constants) { - $compiler->trigger_template_error("(secure mode) constants not permitted"); - break; - } - if( strpos( $_index[1], '$') === false ){ - return "@constant('{$_index[1]}')"; - } else { - return "@constant({$_index[1]})"; - } + case 'const': + if (isset($compiler->smarty->security_policy) && !$compiler->smarty->security_policy->allow_constants) { + $compiler->trigger_template_error("(secure mode) constants not permitted"); + break; + } + if (strpos($_index[1], '$') === false) { + return "@constant('{$_index[1]}')"; + } else { + return "@constant({$_index[1]})"; + } - case 'config': - if (isset($_index[2])) { - return "(is_array(\$tmp = \$_smarty_tpl->getConfigVariable($_index[1])) ? \$tmp[$_index[2]] : null)"; - } else { - return "\$_smarty_tpl->getConfigVariable($_index[1])"; - } - case 'ldelim': - $_ldelim = $compiler->smarty->left_delimiter; + case 'config': + if (isset($_index[2])) { + return "(is_array(\$tmp = \$_smarty_tpl->getConfigVariable($_index[1])) ? \$tmp[$_index[2]] : null)"; + } else { + return "\$_smarty_tpl->getConfigVariable($_index[1])"; + } + case 'ldelim': + $_ldelim = $compiler->smarty->left_delimiter; - return "'$_ldelim'"; + return "'$_ldelim'"; - case 'rdelim': - $_rdelim = $compiler->smarty->right_delimiter; + case 'rdelim': + $_rdelim = $compiler->smarty->right_delimiter; - return "'$_rdelim'"; + return "'$_rdelim'"; - default: - $compiler->trigger_template_error('$smarty.' . trim($_index[0], "'") . ' is invalid'); - break; - } - if (isset($_index[1])) { - array_shift($_index); - foreach ($_index as $_ind) { - $compiled_ref = $compiled_ref . "[$_ind]"; + default: + $compiler->trigger_template_error('$smarty.' . trim($_index[0], "'") . ' is invalid'); + break; + } + if (isset($_index[1])) { + array_shift($_index); + foreach ($_index as $_ind) { + $compiled_ref = $compiled_ref . "[$_ind]"; + } } } - return $compiled_ref; } } |
