Smarty

[Aristophan]

Hi
I'd like to test it, but there are some questions...

What happened to "_version"?

And
Notice: Undefined property: Smarty::$security_settings ...
Notice: Undefined property: Smarty::$security ...
Notice: Undefined property: Smarty::$secure_dir ...

did they change somehow?

Ian

[U.Tews]

Starting with Smarty 3.1 all Smarty 2 backward compabillity code has been moved into the SmartyBC class. User who still needs to use the old Smarty2 API methods need to load and instance SmartyBC instead of Smarty class.

The $_version property is an old Smarty2 relict which is still available in SmartyBC. But you should access better access the version by using the Smarty::SMARTY_VERSION constant.

In all versions of Smarty 3 security options are handled by the Smarty_Security class. See http://www.smarty.net/docs/en/advanced.features.tpl#advanced.features.security.

This did not change between 3.0 and 3.1.

The only difference is that 3.0 did not drop a notice if you did write to an unused property.

[Aristophan]

I see..!
Thank you for the hints.

The docs had at least one little confuser for me, throwing an error.
I had to change $my_security_policy->$modifiers to

// allow everything as modifier, set default_modifiers = array();
$my_security_policy->allowed_modifier = array('sprintf', 'sizeof', 'count', 'rand', 'print_r', 'str_repeat');

What is the difference doing the same array to default_modifiers and/or $modifiers?


Just a small note. I still get a

Fatal error: Call to a member function getTemplateDir() on a non-object in ...\libs\sysplugins\smarty_security.php on line 297
I have set
$smarty->setTemplateDir(array($template_dir));
and further on in a loop
$smarty->addTemplateDir($path . $templatePath . $template);

Is there something I have to add to the $my_security_policy?
If I disable setting security policy by instance I get through (still not to the end, but way into the main template).

Confused...
Ian

[rodneyrehm]

When setting up security, you have two options:

$smarty->enableSecurity('MySecurity'); and $smarty->enableSecurity(new MySecurity($smarty));

You need to make sure, that your constructor accepts the Smarty object:

[Aristophan]

I think this should be extends Smarty_Security!

Lastly, I got it working with default $smarty->enable Security();

But now I discovered something else...
we have framework plugins using smarty like this:

$inclusion = $smarty->security_settings[INCLUDE_ANY];
$smarty->security_settings[INCLUDE_ANY] = true;
$content = $smarty->fetch('file:'. $tfile);
$smarty->security_settings[INCLUDE_ANY] = $inclusion;
echo $content;

now throwing a tripple Notice: Undefined property: Smarty::$security_settings in ....

How can I make them work again without writing a new Smarty_Security class?
Is it maybe that our plugins main directory has to be somehow set in addTemplateDir or setPluginsDir too?

You see I am still on my way to find the specific differences and learning...
( There are still some funny things (for me!) like property allowed_modifier not named allowed_modifiers, the modifiers rand and str_repeat (used for years) throwing errors missing parameter 2..., confusing docs ...)

[rodneyrehm]

the clean and sane thing to do is to create a proper class extending Smarty_Security. Everything else is a hackery thing bound to blow up in your face - as $smarty->security_settings did. It was undocumented, thus not public, thus not reliable.

You could keep your $smarty->security_settings[]… thingie working, if you extended Smarty_Security to look for that exact property…

[Aristophan]

[U.Tews]

Security of Smarty3 is not BC to Smarty2.
There are individual properties in the Smarty_Security class instead of the $smarty->security_settings array which is gone.

As long as you did not write custom modifiers for rand and str_repeat Smarty does use the standard PHP functions which do require 2 arguments. Maybe you did suppressed these warining by the error_reproting level before?