Get Smarty

Donate

Donate Bitcoin Bitcoin
Paypal

Smarty Icon

You may use the Smarty logo according to the trademark notice.

Smarty Template Engine Smarty Template Engine

For sponsorship, advertising, news or other inquiries, contact us at:

Sites Using Smarty

Largest classified with thousands of ads at Shoppok

Buy cheap eyeglasses from Cheapglasses123.com and save up to 80%.

Buy prescription glasses from www.australiaglasses.com and save.

Cheap Glasses Now On Sale at GlassesPeople.com. Starts At $7.95.

Where to buy discount wedding dresses and cheap smart dresses free shipping - Weddingdresstrend.com

Find Wedding Dresses Online at Canada from Ca-dresses.com

Find your local domestic cleaner

Read these great ice cream maker reviews

Advertisement

Chapter 17. Advanced Features

Security

Security is good for situations when you have untrusted parties editing the templates eg via ftp, and you want to reduce the risk of system security compromises through the template language.

The settings of the security policy are defined by properties of an instance of the Smarty_Security class. These are the possible settings:

  • $php_handling determines how Smarty to handle PHP code embedded in templates. Possible values are:

    • Smarty::PHP_PASSTHRU -> echo PHP tags as they are

    • Smarty::PHP_QUOTE -> escape tags as entities

    • Smarty::PHP_REMOVE -> remove php tags

    • Smarty::PHP_ALLOW -> execute php tags

    The default value is Smarty::PHP_PASSTHRU.

    If security is enabled the $php_handling setting of the Smarty object is not checked for security.

  • $secure_dir is an array of template directories that are considered secure. $template_dir concidered secure implicitly. The default is an empty array.

  • $trusted_dir is an array of all directories that are considered trusted. Trusted directories are where you keep php scripts that are executed directly from the templates with {include_php}. The default is an empty array.

  • $trusted_uri is an array of regular expressions matching URIs that are considered trusted. This security directive used by {fetch} and {html_image}. URIs passed to these functions are reduced to {$PROTOCOL}://{$HOSTNAME} to allow simple regular expressions (without having to deal with edge cases like authentication-tokens).

    The expression '#https?://.*smarty.net$#i' would allow accessing the follwing URIs:

    • http://smarty.net/foo

    • http://smarty.net/foo

    • http://www.smarty.net/foo

    • http://smarty.net/foo

    • https://foo.bar.www.smarty.net/foo/bla?blubb=1

    but deny access to these URIs:

    • http://smarty.com/foo (not matching top-level domain "com")

    • ftp://www.smarty.net/foo (not matching protocol "ftp")

    • http://www.smarty.net.otherdomain.com/foo (not matching end of domain "smarty.net")

  • $static_classes is an array of classes that are considered trusted. The default is an empty array which allows access to all static classes. To disable access to all static classes set $static_classes = null.

  • $php_functions is an array of PHP functions that are considered trusted and can be used from within template. To disable access to all PHP functions set $php_functions = null. An empty array ( $php_functions = array() ) will allow all PHP functions. The default is array('isset', 'empty', 'count', 'sizeof', 'in_array', 'is_array','time','nl2br').

  • $php_modifiers is an array of PHP functions that are considered trusted and can be used from within template as modifier. To disable access to all PHP modifier set $php_modifier = null. An empty array ( $php_modifier = array() ) will allow all PHP functions. The default is array('escape','count').

  • $streams is an array of streams that are considered trusted and can be used from within template. To disable access to all streams set $streams = null. An empty array ( $streams = array() ) will allow all streams. The default is array('file').

  • $allowed_modifiers is an array of (registered / autoloaded) modifiers that should be accessible to the template. If this array is non-empty, only the herein listed modifiers may be used. This is a whitelist.

  • $disabled_modifiers is an array of (registered / autoloaded) modifiers that may not be accessible to the template.

  • $allowed_tags is a boolean flag which controls if constants can function-, block and filter plugins that should be accessible to the template. If this array is non-empty, only the herein listed modifiers may be used. This is a whitelist.

  • $disabled_tags is an array of (registered / autoloaded) function-, block and filter plugins that may not be accessible to the template.

  • $allow_constants is a boolean flag which controls if constants can be accessed by the template. The default is "true".

  • $allow_super_globals is a boolean flag which controls if the PHP super globals can be accessed by the template. The default is "true".

  • $allow_php_tag is a boolean flag which controls if {php} and {include_php} tags can be used by the template. The default is "false".

If security is enabled, no private methods, functions or properties of static classes or assigned objects can be accessed (beginningwith '_') by the template.

To customize the security policy settings you can extend the Smarty_Security class or create an instance of it.

Example 17.1. Setting security policy by extending the Smarty_Security class


<?php
require 'Smarty.class.php';

class My_Security_Policy extends Smarty_Security {
  // disable all PHP functions
  public $php_functions = null;
  // remove PHP tags
  public $php_handling = Smarty::PHP_REMOVE;
  // allow everthing as modifier
  public $modifiers = array();
}
$smarty = new Smarty();
// enable security
$smarty->enableSecurity('My_Security_Policy');
?>


Example 17.2. Setting security policy by instance of the Smarty_Security class


<?php
require 'Smarty.class.php';
$smarty = new Smarty();
$my_security_policy = new Smarty_Security($smarty);
// disable all PHP functions
$my_security_policy->php_functions = null;
// remove PHP tags
$my_security_policy->php_handling = Smarty::PHP_REMOVE;
// allow everthing as modifier
$my_security_policy->$modifiers = array();
// enable security
$smarty->enableSecurity($my_security_policy);
?>


Example 17.3. Enable security with the default settings


<?php
require 'Smarty.class.php';
$smarty = new Smarty();
// enable default security
$smarty->enableSecurity();
?>


Note

Must security policy settings are only checked when the template gets compiled. For that reasion you should delete all cached and compiled template files when you change your security settings.

Comments
by Marcelloh on Jan 26, 2012 at 9:22
$php_modifier = array() ) will allow all PHP functions But in the examples it shows like: public $modifiers = array(); Which one is correct? BTW: when using it as an empty array (in both ways) I still couldn't use strstr for example.
by Rusell G. on Oct 25, 2011 at 11:37
In examples 17.1 and 17.2 above, $modifiers should be $php_modifiers. [Moderator: please feel free to change the documentation and delete this comment. Thanks.]
Post a Comment
All comments are moderated. Support questions are ignored, use the forums instead.
Author:
Email: (not shown)
What is 20 plus 17? (Are you human?)

Advertisement

Sponsors [info]

UK Web Hosting @webhost.uk.net
Best Web Hosting @rshosting.com
Web Hosting UK @webhostinguk.com
Unlimited Web Hosting @infrenion.com
App Entwicklung @morphodo.com
First Click Internet Marketing @fcinternetmarketing.com