1 <?php
2 /**
3 * Smarty plugin
4 *
5 * @package Smarty
6 * @subpackage Security
7 * @author Uwe Tews
8 */
10 /**
11 * This class does contain the security settings
12 */
13 class Smarty_Security {
14 /**
15 * This determines how Smarty handles "<?php ... ?>" tags in templates.
16 * possible values:
17 * <ul>
18 * <li>Smarty::PHP_PASSTHRU -> echo PHP tags as they are</li>
19 * <li>Smarty::PHP_QUOTE -> escape tags as entities</li>
20 * <li>Smarty::PHP_REMOVE -> remove php tags</li>
21 * <li>Smarty::PHP_ALLOW -> execute php tags</li>
22 * </ul>
23 *
24 * @var integer
25 */
26 public $php_handling = Smarty::PHP_PASSTHRU;
28 /**
29 * This is the list of template directories that are considered secure.
30 * $template_dir is in this list implicitly.
31 *
32 * @var array
33 */
34 public $secure_dir = array();
37 /**
38 * This is an array of directories where trusted php scripts reside.
39 * {@link $security} is disabled during their inclusion/execution.
40 *
41 * @var array
42 */
43 public $trusted_dir = array();
46 /**
47 * This is an array of trusted static classes.
48 *
49 * If empty access to all static classes is allowed.
50 * If set to 'none' none is allowed.
51 * @var array
52 */
53 public $static_classes = array();
55 /**
56 * This is an array of trusted PHP functions.
57 *
58 * If empty all functions are allowed.
59 * To disable all PHP functions set $php_functions = null.
60 * @var array
61 */
62 public $php_functions = array('isset', 'empty',
63 'count', 'sizeof','in_array', 'is_array','time','nl2br');
65 /**
66 * This is an array of trusted PHP modifers.
67 *
68 * If empty all modifiers are allowed.
69 * To disable all modifier set $modifiers = null.
70 * @var array
71 */
72 public $php_modifiers = array('escape','count');
74 /**
75 * This is an array of trusted streams.
76 *
77 * If empty all streams are allowed.
78 * To disable all streams set $streams = null.
79 * @var array
80 */
81 public $streams = array('file');
82 /**
83 * + flag if constants can be accessed from template
84 */
85 public $allow_constants = true;
86 /**
87 * + flag if super globals can be accessed from template
88 */
89 public $allow_super_globals = true;
90 /**
91 * + flag if the {php} and {include_php} tag can be executed
92 */
93 public $allow_php_tag = false;
95 public function __construct($smarty)
96 {
97 $this->smarty = $smarty;
98 }
99 /**
100 * Check if PHP function is trusted.
101 *
102 * @param string $function_name
103 * @param object $compiler compiler object
104 * @return boolean true if function is trusted
105 */
106 function isTrustedPhpFunction($function_name, $compiler)
107 {
108 if (isset($this->php_functions) && (empty($this->php_functions) || in_array($function_name, $this->php_functions))) {
109 return true;
110 } else {
111 $compiler->trigger_template_error ("PHP function '{$function_name}' not allowed by security setting");
112 return false;
113 }
114 }
116 /**
117 * Check if static class is trusted.
118 *
119 * @param string $class_name
120 * @param object $compiler compiler object
121 * @return boolean true if class is trusted
122 */
123 function isTrustedStaticClass($class_name, $compiler)
124 {
125 if (isset($this->static_classes) && (empty($this->static_classes) || in_array($class_name, $this->static_classes))) {
126 return true;
127 } else {
128 $compiler->trigger_template_error ("access to static class '{$class_name}' not allowed by security setting");
129 return false;
130 }
131 }
132 /**
133 * Check if modifier is trusted.
134 *
135 * @param string $modifier_name
136 * @param object $compiler compiler object
137 * @return boolean true if modifier is trusted
138 */
139 function isTrustedModifier($modifier_name, $compiler)
140 {
141 if (isset($this->php_modifiers) && (empty($this->php_modifiers) || in_array($modifier_name, $this->php_modifiers))) {
142 return true;
143 } else {
144 $compiler->trigger_template_error ("modifier '{$modifier_name}' not allowed by security setting");
145 return false;
146 }
147 }
148 /**
149 * Check if stream is trusted.
150 *
151 * @param string $stream_name
152 * @param object $compiler compiler object
153 * @return boolean true if stream is trusted
154 */
155 function isTrustedStream($stream_name)
156 {
157 if (isset($this->streams) && (empty($this->streams) || in_array($stream_name, $this->streams))) {
158 return true;
159 } else {
160 throw new SmartyException ("stream '{$stream_name}' not allowed by security setting");
161 return false;
162 }
163 }
165 /**
166 * Check if directory of file resource is trusted.
167 *
168 * @param string $filepath
169 * @param object $compiler compiler object
170 * @return boolean true if directory is trusted
171 */
172 function isTrustedResourceDir($filepath)
173 {
174 $_rp = realpath($filepath);
175 if (isset($this->smarty->template_dir)) {
176 foreach ((array)$this->smarty->template_dir as $curr_dir) {
177 if (($_cd = realpath($curr_dir)) !== false &&
178 strncmp($_rp, $_cd, strlen($_cd)) == 0 &&
179 (strlen($_rp) == strlen($_cd) || substr($_rp, strlen($_cd), 1) == DS)) {
180 return true;
181 }
182 }
183 }
184 if (!empty($this->smarty->security_policy->secure_dir)) {
185 foreach ((array)$this->smarty->security_policy->secure_dir as $curr_dir) {
186 if (($_cd = realpath($curr_dir)) !== false) {
187 if ($_cd == $_rp) {
188 return true;
189 } elseif (strncmp($_rp, $_cd, strlen($_cd)) == 0 &&
190 (strlen($_rp) == strlen($_cd) || substr($_rp, strlen($_cd), 1) == DS)) {
191 return true;
192 }
193 }
194 }
195 }
197 throw new SmartyException ("directory '{$_rp}' not allowed by security setting");
198 return false;
199 }
201 /**
202 * Check if directory of file resource is trusted.
203 *
204 * @param string $filepath
205 * @param object $compiler compiler object
206 * @return boolean true if directory is trusted
207 */
208 function isTrustedPHPDir($filepath)
209 {
210 $_rp = realpath($filepath);
211 if (!empty($this->trusted_dir)) {
212 foreach ((array)$this->trusted_dir as $curr_dir) {
213 if (($_cd = realpath($curr_dir)) !== false) {
214 if ($_cd == $_rp) {
215 return true;
216 } elseif (strncmp($_rp, $_cd, strlen($_cd)) == 0 &&
217 substr($_rp, strlen($_cd), 1) == DS) {
218 return true;
219 }
220 }
221 }
222 }
224 throw new SmartyException ("directory '{$_rp}' not allowed by security setting");
225 return false;
226 }
227 }
229 ?>