X-Git-Url: http://wagnertech.de/gitweb/gitweb.cgi/timetracker.git/blobdiff_plain/098a79f0819ebb89b7d48df4a6b154af4560f68e..9a23a8c0a51b7ec38a96f525484134f3cb85dc7e:/WEB-INF/lib/smarty/sysplugins/smarty_security.php diff --git a/WEB-INF/lib/smarty/sysplugins/smarty_security.php b/WEB-INF/lib/smarty/sysplugins/smarty_security.php new file mode 100644 index 00000000..cd066fb4 --- /dev/null +++ b/WEB-INF/lib/smarty/sysplugins/smarty_security.php @@ -0,0 +1,229 @@ +" tags in templates. + * possible values: + * + * + * @var integer + */ + public $php_handling = Smarty::PHP_PASSTHRU; + + /** + * This is the list of template directories that are considered secure. + * $template_dir is in this list implicitly. + * + * @var array + */ + public $secure_dir = array(); + + + /** + * This is an array of directories where trusted php scripts reside. + * {@link $security} is disabled during their inclusion/execution. + * + * @var array + */ + public $trusted_dir = array(); + + + /** + * This is an array of trusted static classes. + * + * If empty access to all static classes is allowed. + * If set to 'none' none is allowed. + * @var array + */ + public $static_classes = array(); + + /** + * This is an array of trusted PHP functions. + * + * If empty all functions are allowed. + * To disable all PHP functions set $php_functions = null. + * @var array + */ + public $php_functions = array('isset', 'empty', + 'count', 'sizeof','in_array', 'is_array','time','nl2br'); + + /** + * This is an array of trusted PHP modifers. + * + * If empty all modifiers are allowed. + * To disable all modifier set $modifiers = null. + * @var array + */ + public $php_modifiers = array('escape','count'); + + /** + * This is an array of trusted streams. + * + * If empty all streams are allowed. + * To disable all streams set $streams = null. + * @var array + */ + public $streams = array('file'); + /** + * + flag if constants can be accessed from template + */ + public $allow_constants = true; + /** + * + flag if super globals can be accessed from template + */ + public $allow_super_globals = true; + /** + * + flag if the {php} and {include_php} tag can be executed + */ + public $allow_php_tag = false; + + public function __construct($smarty) + { + $this->smarty = $smarty; + } + /** + * Check if PHP function is trusted. + * + * @param string $function_name + * @param object $compiler compiler object + * @return boolean true if function is trusted + */ + function isTrustedPhpFunction($function_name, $compiler) + { + if (isset($this->php_functions) && (empty($this->php_functions) || in_array($function_name, $this->php_functions))) { + return true; + } else { + $compiler->trigger_template_error ("PHP function '{$function_name}' not allowed by security setting"); + return false; + } + } + + /** + * Check if static class is trusted. + * + * @param string $class_name + * @param object $compiler compiler object + * @return boolean true if class is trusted + */ + function isTrustedStaticClass($class_name, $compiler) + { + if (isset($this->static_classes) && (empty($this->static_classes) || in_array($class_name, $this->static_classes))) { + return true; + } else { + $compiler->trigger_template_error ("access to static class '{$class_name}' not allowed by security setting"); + return false; + } + } + /** + * Check if modifier is trusted. + * + * @param string $modifier_name + * @param object $compiler compiler object + * @return boolean true if modifier is trusted + */ + function isTrustedModifier($modifier_name, $compiler) + { + if (isset($this->php_modifiers) && (empty($this->php_modifiers) || in_array($modifier_name, $this->php_modifiers))) { + return true; + } else { + $compiler->trigger_template_error ("modifier '{$modifier_name}' not allowed by security setting"); + return false; + } + } + /** + * Check if stream is trusted. + * + * @param string $stream_name + * @param object $compiler compiler object + * @return boolean true if stream is trusted + */ + function isTrustedStream($stream_name) + { + if (isset($this->streams) && (empty($this->streams) || in_array($stream_name, $this->streams))) { + return true; + } else { + throw new SmartyException ("stream '{$stream_name}' not allowed by security setting"); + return false; + } + } + + /** + * Check if directory of file resource is trusted. + * + * @param string $filepath + * @param object $compiler compiler object + * @return boolean true if directory is trusted + */ + function isTrustedResourceDir($filepath) + { + $_rp = realpath($filepath); + if (isset($this->smarty->template_dir)) { + foreach ((array)$this->smarty->template_dir as $curr_dir) { + if (($_cd = realpath($curr_dir)) !== false && + strncmp($_rp, $_cd, strlen($_cd)) == 0 && + (strlen($_rp) == strlen($_cd) || substr($_rp, strlen($_cd), 1) == DS)) { + return true; + } + } + } + if (!empty($this->smarty->security_policy->secure_dir)) { + foreach ((array)$this->smarty->security_policy->secure_dir as $curr_dir) { + if (($_cd = realpath($curr_dir)) !== false) { + if ($_cd == $_rp) { + return true; + } elseif (strncmp($_rp, $_cd, strlen($_cd)) == 0 && + (strlen($_rp) == strlen($_cd) || substr($_rp, strlen($_cd), 1) == DS)) { + return true; + } + } + } + } + + throw new SmartyException ("directory '{$_rp}' not allowed by security setting"); + return false; + } + + /** + * Check if directory of file resource is trusted. + * + * @param string $filepath + * @param object $compiler compiler object + * @return boolean true if directory is trusted + */ + function isTrustedPHPDir($filepath) + { + $_rp = realpath($filepath); + if (!empty($this->trusted_dir)) { + foreach ((array)$this->trusted_dir as $curr_dir) { + if (($_cd = realpath($curr_dir)) !== false) { + if ($_cd == $_rp) { + return true; + } elseif (strncmp($_rp, $_cd, strlen($_cd)) == 0 && + substr($_rp, strlen($_cd), 1) == DS) { + return true; + } + } + } + } + + throw new SmartyException ("directory '{$_rp}' not allowed by security setting"); + return false; + } +} + +?> \ No newline at end of file