1 <?php
2 /**
3 * Smarty Internal Plugin Security Handler
4 *
5 * @package Smarty
6 * @subpackage Security
7 * @author Uwe Tews
8 */
10 /**
11 * This class contains all methods for security checking
12 */
13 class Smarty_Internal_Security_Handler {
14 function __construct($smarty)
15 {
16 $this->smarty = $smarty;
17 }
18 /**
19 * Check if PHP function is trusted.
20 *
21 * @param string $function_name
22 * @param object $compiler compiler object
23 * @return boolean true if function is trusted
24 */
25 function isTrustedPhpFunction($function_name, $compiler)
26 {
27 if (empty($this->smarty->security_policy->php_functions) || in_array($function_name, $this->smarty->security_policy->php_functions)) {
28 return true;
29 } else {
30 $compiler->trigger_template_error ("PHP function '{$function_name}' not allowed by security setting");
31 return false;
32 }
33 }
35 /**
36 * Check if static class is trusted.
37 *
38 * @param string $class_name
39 * @param object $compiler compiler object
40 * @return boolean true if class is trusted
41 */
42 function isTrustedStaticClass($class_name, $compiler)
43 {
44 if (empty($this->smarty->security_policy->static_classes) || in_array($class_name, $this->smarty->security_policy->static_classes)) {
45 return true;
46 } else {
47 $compiler->trigger_template_error ("access to static class '{$class_name}' not allowed by security setting");
48 return false;
49 }
50 }
51 /**
52 * Check if modifier is trusted.
53 *
54 * @param string $modifier_name
55 * @param object $compiler compiler object
56 * @return boolean true if modifier is trusted
57 */
58 function isTrustedModifier($modifier_name, $compiler)
59 {
60 if (empty($this->smarty->security_policy->modifiers) || in_array($modifier_name, $this->smarty->security_policy->modifiers)) {
61 return true;
62 } else {
63 $compiler->trigger_template_error ("modifier '{$modifier_name}' not allowed by security setting");
64 return false;
65 }
66 }
67 /**
68 * Check if stream is trusted.
69 *
70 * @param string $stream_name
71 * @param object $compiler compiler object
72 * @return boolean true if stream is trusted
73 */
74 function isTrustedStream($stream_name)
75 {
76 if (empty($this->smarty->security_policy->streams) || in_array($stream_name, $this->smarty->security_policy->streams)) {
77 return true;
78 } else {
79 throw new SmartyException ("stream '{$stream_name}' not allowed by security setting");
80 return false;
81 }
82 }
84 /**
85 * Check if directory of file resource is trusted.
86 *
87 * @param string $filepath
88 * @param object $compiler compiler object
89 * @return boolean true if directory is trusted
90 */
91 function isTrustedResourceDir($filepath)
92 {
93 $_rp = realpath($filepath);
94 if (isset($this->smarty->template_dir)) {
95 foreach ((array)$this->smarty->template_dir as $curr_dir) {
96 if (($_cd = realpath($curr_dir)) !== false &&
97 strncmp($_rp, $_cd, strlen($_cd)) == 0 &&
98 (strlen($_rp) == strlen($_cd) || substr($_rp, strlen($_cd), 1) == DS)) {
99 return true;
100 }
101 }
102 }
103 if (!empty($this->smarty->security_policy->secure_dir)) {
104 foreach ((array)$this->smarty->security_policy->secure_dir as $curr_dir) {
105 if (($_cd = realpath($curr_dir)) !== false) {
106 if ($_cd == $_rp) {
107 return true;
108 } elseif (strncmp($_rp, $_cd, strlen($_cd)) == 0 &&
109 (strlen($_rp) == strlen($_cd) || substr($_rp, strlen($_cd), 1) == DS)) {
110 return true;
111 }
112 }
113 }
114 }
116 throw new SmartyException ("directory '{$_rp}' not allowed by security setting");
117 return false;
118 }
120 /**
121 * Check if directory of file resource is trusted.
122 *
123 * @param string $filepath
124 * @param object $compiler compiler object
125 * @return boolean true if directory is trusted
126 */
127 function isTrustedPHPDir($filepath)
128 {
129 $_rp = realpath($filepath);
130 if (!empty($this->smarty->security_policy->trusted_dir)) {
131 foreach ((array)$this->smarty->security_policy->trusted_dir as $curr_dir) {
132 if (($_cd = realpath($curr_dir)) !== false) {
133 if ($_cd == $_rp) {
134 return true;
135 } elseif (strncmp($_rp, $_cd, strlen($_cd)) == 0 &&
136 substr($_rp, strlen($_cd), 1) == DS) {
137 return true;
138 }
139 }
140 }
141 }
143 throw new SmartyException ("directory '{$_rp}' not allowed by security setting");
144 return false;
145 }
146 }
148 ?>