View previous topic :: View next topic |
Author |
Message |
Aristophan Smarty Regular
Joined: 10 Jan 2011 Posts: 96
|
Posted: Fri Jul 01, 2011 8:31 am Post subject: 3.1RC versus 3.08 |
|
|
Hi
I'd like to test it, but there are some questions...
What happened to "_version"?
And
Notice: Undefined property: Smarty::$security_settings ...
Notice: Undefined property: Smarty::$security ...
Notice: Undefined property: Smarty::$secure_dir ...
did they change somehow?
Ian |
|
Back to top |
|
U.Tews Administrator
Joined: 22 Nov 2006 Posts: 5068 Location: Hamburg / Germany
|
Posted: Fri Jul 01, 2011 11:16 am Post subject: |
|
|
Starting with Smarty 3.1 all Smarty 2 backward compabillity code has been moved into the SmartyBC class. User who still needs to use the old Smarty2 API methods need to load and instance SmartyBC instead of Smarty class.
The $_version property is an old Smarty2 relict which is still available in SmartyBC. But you should access better access the version by using the Smarty::SMARTY_VERSION constant.
In all versions of Smarty 3 security options are handled by the Smarty_Security class. See http://www.smarty.net/docs/en/advanced.features.tpl#advanced.features.security.
This did not change between 3.0 and 3.1.
The only difference is that 3.0 did not drop a notice if you did write to an unused property. |
|
Back to top |
|
Aristophan Smarty Regular
Joined: 10 Jan 2011 Posts: 96
|
Posted: Fri Jul 01, 2011 5:11 pm Post subject: |
|
|
I see..!
Thank you for the hints.
The docs had at least one little confuser for me, throwing an error.
I had to change $my_security_policy->$modifiers to
// allow everything as modifier, set default_modifiers = array();
$my_security_policy->allowed_modifier = array('sprintf', 'sizeof', 'count', 'rand', 'print_r', 'str_repeat');
What is the difference doing the same array to default_modifiers and/or $modifiers?
Just a small note. I still get a
Fatal error: Call to a member function getTemplateDir() on a non-object in ...\libs\sysplugins\smarty_security.php on line 297
I have set
$smarty->setTemplateDir(array($template_dir));
and further on in a loop
$smarty->addTemplateDir($path . $templatePath . $template);
Is there something I have to add to the $my_security_policy?
If I disable setting security policy by instance I get through (still not to the end, but way into the main template).
Confused...
Ian |
|
Back to top |
|
rodneyrehm Administrator
Joined: 30 Mar 2007 Posts: 674 Location: Germany, border to Switzerland
|
Posted: Sat Jul 02, 2011 8:37 am Post subject: |
|
|
When setting up security, you have two options:
$smarty->enableSecurity('MySecurity'); and $smarty->enableSecurity(new MySecurity($smarty));
You need to make sure, that your constructor accepts the Smarty object:
Code: | class MySecurity extends SmartySecurity
{
public function __construct(Smarty $smarty)
{
parent::__construct($smarty);
// whatever you need to do to setup…
}
} |
|
|
Back to top |
|
Aristophan Smarty Regular
Joined: 10 Jan 2011 Posts: 96
|
Posted: Thu Jul 07, 2011 11:40 am Post subject: |
|
|
I think this should be extends Smarty_Security!
Lastly, I got it working with default $smarty->enable Security();
But now I discovered something else...
we have framework plugins using smarty like this:
$inclusion = $smarty->security_settings[INCLUDE_ANY];
$smarty->security_settings[INCLUDE_ANY] = true;
$content = $smarty->fetch('file:'. $tfile);
$smarty->security_settings[INCLUDE_ANY] = $inclusion;
echo $content;
now throwing a tripple Notice: Undefined property: Smarty::$security_settings in ....
How can I make them work again without writing a new Smarty_Security class?
Is it maybe that our plugins main directory has to be somehow set in addTemplateDir or setPluginsDir too?
You see I am still on my way to find the specific differences and learning...
( There are still some funny things (for me!) like property allowed_modifier not named allowed_modifiers, the modifiers rand and str_repeat (used for years) throwing errors missing parameter 2..., confusing docs ...) |
|
Back to top |
|
rodneyrehm Administrator
Joined: 30 Mar 2007 Posts: 674 Location: Germany, border to Switzerland
|
Posted: Thu Jul 07, 2011 11:47 am Post subject: |
|
|
the clean and sane thing to do is to create a proper class extending Smarty_Security. Everything else is a hackery thing bound to blow up in your face - as $smarty->security_settings did. It was undocumented, thus not public, thus not reliable.
You could keep your $smarty->security_settings[]… thingie working, if you extended Smarty_Security to look for that exact property… |
|
Back to top |
|
Aristophan Smarty Regular
Joined: 10 Jan 2011 Posts: 96
|
Posted: Thu Jul 07, 2011 1:04 pm Post subject: |
|
|
globe wrote: | the clean and sane thing to do is to create a proper class extending Smarty_Security. Everything else is a hackery thing bound to blow up in your face - as $smarty->security_settings did. It was undocumented, thus not public, thus not reliable. |
Hi
Does this mean we do/did not need this without loosing security in Smarty2 (and no further setting)?
globe wrote: | You could keep your $smarty->security_settings[]… thingie working, if you extended Smarty_Security to look for that exact property… |
Erm..., have you got an example...?
So, trying to find the best way, shall we get rid of the old stuff and it can be used with old Smarty 2 too?
Why isn't it included in the BC class? |
|
Back to top |
|
U.Tews Administrator
Joined: 22 Nov 2006 Posts: 5068 Location: Hamburg / Germany
|
Posted: Thu Jul 07, 2011 3:27 pm Post subject: |
|
|
Security of Smarty3 is not BC to Smarty2.
There are individual properties in the Smarty_Security class instead of the $smarty->security_settings array which is gone.
As long as you did not write custom modifiers for rand and str_repeat Smarty does use the standard PHP functions which do require 2 arguments. Maybe you did suppressed these warining by the error_reproting level before? |
|
Back to top |
|
|