11 * This class does contain the security settings
13 class Smarty_Security {
15 * This determines how Smarty handles "<?php ... ?>" tags in templates.
18 * <li>Smarty::PHP_PASSTHRU -> echo PHP tags as they are</li>
19 * <li>Smarty::PHP_QUOTE -> escape tags as entities</li>
20 * <li>Smarty::PHP_REMOVE -> remove php tags</li>
21 * <li>Smarty::PHP_ALLOW -> execute php tags</li>
26 public $php_handling = Smarty::PHP_PASSTHRU;
29 * This is the list of template directories that are considered secure.
30 * $template_dir is in this list implicitly.
34 public $secure_dir = array();
38 * This is an array of directories where trusted php scripts reside.
39 * {@link $security} is disabled during their inclusion/execution.
43 public $trusted_dir = array();
47 * This is an array of trusted static classes.
49 * If empty access to all static classes is allowed.
50 * If set to 'none' none is allowed.
53 public $static_classes = array();
56 * This is an array of trusted PHP functions.
58 * If empty all functions are allowed.
59 * To disable all PHP functions set $php_functions = null.
62 public $php_functions = array('isset', 'empty',
63 'count', 'sizeof','in_array', 'is_array','time','nl2br');
66 * This is an array of trusted PHP modifers.
68 * If empty all modifiers are allowed.
69 * To disable all modifier set $modifiers = null.
72 public $php_modifiers = array('escape','count');
75 * This is an array of trusted streams.
77 * If empty all streams are allowed.
78 * To disable all streams set $streams = null.
81 public $streams = array('file');
83 * + flag if constants can be accessed from template
85 public $allow_constants = true;
87 * + flag if super globals can be accessed from template
89 public $allow_super_globals = true;
91 * + flag if the {php} and {include_php} tag can be executed
93 public $allow_php_tag = false;
95 public function __construct($smarty)
97 $this->smarty = $smarty;
100 * Check if PHP function is trusted.
102 * @param string $function_name
103 * @param object $compiler compiler object
104 * @return boolean true if function is trusted
106 function isTrustedPhpFunction($function_name, $compiler)
108 if (isset($this->php_functions) && (empty($this->php_functions) || in_array($function_name, $this->php_functions))) {
111 $compiler->trigger_template_error ("PHP function '{$function_name}' not allowed by security setting");
117 * Check if static class is trusted.
119 * @param string $class_name
120 * @param object $compiler compiler object
121 * @return boolean true if class is trusted
123 function isTrustedStaticClass($class_name, $compiler)
125 if (isset($this->static_classes) && (empty($this->static_classes) || in_array($class_name, $this->static_classes))) {
128 $compiler->trigger_template_error ("access to static class '{$class_name}' not allowed by security setting");
133 * Check if modifier is trusted.
135 * @param string $modifier_name
136 * @param object $compiler compiler object
137 * @return boolean true if modifier is trusted
139 function isTrustedModifier($modifier_name, $compiler)
141 if (isset($this->php_modifiers) && (empty($this->php_modifiers) || in_array($modifier_name, $this->php_modifiers))) {
144 $compiler->trigger_template_error ("modifier '{$modifier_name}' not allowed by security setting");
149 * Check if stream is trusted.
151 * @param string $stream_name
152 * @param object $compiler compiler object
153 * @return boolean true if stream is trusted
155 function isTrustedStream($stream_name)
157 if (isset($this->streams) && (empty($this->streams) || in_array($stream_name, $this->streams))) {
160 throw new SmartyException ("stream '{$stream_name}' not allowed by security setting");
166 * Check if directory of file resource is trusted.
168 * @param string $filepath
169 * @param object $compiler compiler object
170 * @return boolean true if directory is trusted
172 function isTrustedResourceDir($filepath)
174 $_rp = realpath($filepath);
175 if (isset($this->smarty->template_dir)) {
176 foreach ((array)$this->smarty->template_dir as $curr_dir) {
177 if (($_cd = realpath($curr_dir)) !== false &&
178 strncmp($_rp, $_cd, strlen($_cd)) == 0 &&
179 (strlen($_rp) == strlen($_cd) || substr($_rp, strlen($_cd), 1) == DS)) {
184 if (!empty($this->smarty->security_policy->secure_dir)) {
185 foreach ((array)$this->smarty->security_policy->secure_dir as $curr_dir) {
186 if (($_cd = realpath($curr_dir)) !== false) {
189 } elseif (strncmp($_rp, $_cd, strlen($_cd)) == 0 &&
190 (strlen($_rp) == strlen($_cd) || substr($_rp, strlen($_cd), 1) == DS)) {
197 throw new SmartyException ("directory '{$_rp}' not allowed by security setting");
202 * Check if directory of file resource is trusted.
204 * @param string $filepath
205 * @param object $compiler compiler object
206 * @return boolean true if directory is trusted
208 function isTrustedPHPDir($filepath)
210 $_rp = realpath($filepath);
211 if (!empty($this->trusted_dir)) {
212 foreach ((array)$this->trusted_dir as $curr_dir) {
213 if (($_cd = realpath($curr_dir)) !== false) {
216 } elseif (strncmp($_rp, $_cd, strlen($_cd)) == 0 &&
217 substr($_rp, strlen($_cd), 1) == DS) {
224 throw new SmartyException ("directory '{$_rp}' not allowed by security setting");