Smarty

[aloner]

I've cooked up some code to replace 'math' function with native PHP code. Use pseudo-function 's_math' insted of 'math'.

Code:

[php:1:31b7e80fa2]<?php
/*
* Smarty plugin
* -------------------------------------------------------------
* File: compiler.s_math.php
* Type: compiler
* Name: s_math
* Author: Pavel 'aloner' Prishivalko,
* error/security check code by Smarty developers
* -------------------------------------------------------------
*/
function smarty_compiler_s_math($tag_arg, &$smarty)
{
$attrs = $smarty->_parse_attrs($tag_arg);

// be sure equation parameter is present
if (empty($attrs['equation'])) {
$smarty->trigger_error('s_math: missing equation parameter');
return;
}
$equation = $smarty->_dequote($attrs['equation']);
$err = "\n equation: '$equation'";

// make sure parenthesis are balanced
if (substr_count($equation,'(') != substr_count($equation,')')) {
$smarty->trigger_error('s_math: unbalanced parenthesis,'.$err);
return;
}

// match all vars in equation, make sure all are passed
preg_match_all('!([a-zA-Z][a-zA-Z0-9_]*)!', $equation, $match);

$allowed_funcs = array('int','abs','ceil','cos','exp','floor','log','log10',
'max','min','pi','pow','rand','round','sin','sqrt','srand','tan');
foreach($match[1] as $curr_var) {
if (!in_array($curr_var, array_keys($attrs)) && !in_array($curr_var, $allowed_funcs)) {
$smarty->trigger_error("s_math: parameter '$curr_var' not passed as argument or is unknown function,".$err);
return;
}
}

$PHP = '';

$pats = array();
$reps = array();

foreach ($attrs as $param_name => $param_value) {
if (!in_array($param_name, array('equation', 'assign', 'format'))) {
if (substr($param_value,0,1) == '$') {
$have_var = true;
// Is variable, need runtime checking.
$PHP .= "if(strlen($param_value)==0){\$this->trigger_error('s_math: parameter \'$param_name\' is empty');\$__smok=0;}else{if(\$__smok && !is_numeric($param_value)) \$this->trigger_error('s_math: parameter \'$param_name\' is not numeric');\$__smok=0;}\n";
}
$pats[] = '!\b'.preg_quote($param_name).'\b!';
$reps[] = ' '.$smarty->_dequote($param_value).' ';
}
}
$equation = preg_replace($pats, $reps, ' '.$equation.' ');

if ($have_var) {
$PHP = '$__smok=true;'.$PHP.'if($__smok)';
}
if ($attrs['assign']) {
$PHP .= '$this->_tpl_vars[\''.$smarty->_dequote($attrs['assign']).'\'] = ( ';
} else {
$PHP .= 'echo( ';
}

if ($attrs['format']) $equation = 'sprintf( \''.$smarty->_dequote($attrs['format']).'\' , ( '.$equation.' ) )';

$PHP .= $equation . ');';
return $PHP;
}
?>[/php:1:31b7e80fa2]

Example:

[boots]

I'm going to try this out. Have you considered using a compiler function for this instead of a filter?

[aloner]

Boots, thanks for suggestion. I've turned it into compiler function.

Well, my first compiler function then.
_________________
Your ad here.

[boots]

Just thought I'd report how much faster aloner's plugin is (especially in the compiled form!):

I ran the following extremely simple section using both the distribution {math} plugin and then with aloner's compiler version.

[messju]

[boots]

I love a challenge!

I've don't use the security feature, so it didn't occur to me . I also found that security is not (yet) very well documented.

I haven't tried this yet, but I don't *think* it breaks security: it doesn't pass a <?php .. ?> back to Smarty -- only the included code.

Certainly, the manual does not indicate that compiled functions are a no-no with security on. Does it??

Nor do I think this SHOULD be considered a security hole!

xo boots

ps. I was hinting at the fact that with some checks put into aloner's code, it would be a good candidate to replace the distributions current math function plugin.

pps. I'm not sure why a compiler function is a hole -- it is not something that template users have control over and they can't simply inject code by putting it one of the parameters.

[messju]

it was not my point to state that a compiler-function is more a security hole than any other function. administrators have to restrict plugin_dir to sth. containing "harmless" plugins when using $smarty->security. me, being paranoid, i wouldn't consider the plugins directory of a smarty-distribution harmless, i would pick only the plugins absolutely needed out of it and put it into safe-plugins-dir when $security=true.

at first sight i consider the current implementation of math less harmful, but i must admit, i didn't test if s_math above breaks security. i just presumed, because it dumps $equation into the template.

this doesn't render the approach above useless in any way, i just thought we have to keep an option open for people needing {math} *and* security=true.

be sure, i check the benefits of s_match, but please understand, that this doesn't enjoy high-priority, math can be optimized best by being done in php in the first place.

[boots]

[messju]

if have no problem in admitting the beating of any pants of it since i didn't wear them at any time when a beating occured .
i don't use {math}.
i never considered anything computational expensive inside a smarty-template. i have no problem if people are rendering the mandelbrot-set as bgcolors in a n-times-m table. or some glass-spheres over a checker-board for bigger ns and ms. but i think the more we optimize {math} the less we make people think about tweaking their data *before* the template gets hands on it.
just a thought.

[boots]

you a funny guy, messju

Okay, I would agree that anyone calculating sets in template should step back and think about what they are trying to do. On the other hand, people DO a lot of math in template to handle simple things like keeping track of position in sections or determining depth, etc. When done in loops, the provided {math} really shows its inability.

Application logic should be separate from template logic , but the reverse is true as well: things that you need to calculate only for the template execution should not be performed in your PHP code, if possible. It makes things simpler that way.

Just my 2c.

I also want to thank you for all of your input--I very much respect your opinion!

[messju]

my argumentation is a bad excuse for a sub-optimal implemention of math. smarty should be as good/optimized/lean as possible. in a smarty distribution this includes each and every plugin has to be hand-picked checked and put back if worth or replaced/omitted if dubious. sorry for my lazy argumentation against a faster math.

@aloner: i think s_math has potential, but cases like:
{s_math equation="system('cat /etc/passwd')"}
have to be prevented IMHO

[aloner]

Well, probably I could hack s_math a bit and make it use 'math' when we have security on.

Will try it some time.
_________________
Your ad here.

[aloner]

Probably we can put out 'equation' check from Math and make it shared.
Then we just have to check it during compile time and alert user.
_________________
Your ad here.

[aloner]

Okay, you asked it - you got it.

There's updated version, which brings compile-time error/security checking (code courtesy of Math plugin) and even runtime variables checking.
Also I revamped some parts of it to make it supposedly faster. Also I think there a couple of bottlenecks which can be bit faster...

Feel free to test and report its 'esoteric features' here.

Maybe it can replace standart Math plugin - it seems to meet all requirements.
_________________
Your ad here.

[boots]

aloner, your post got me to thinking that it might be useful if there was a smarty provided function that allowed plugin developers to check if their input parameters are "safe" instead of relying on plugin writers to roll their own checks. It wouldn't remove all the checking that a plugin writer needs to do, but it can at least provide a common place where typical injections get scanned.

Just a thought.