Smarty Forum Index Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon.

Direct access to php define variables

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> General
View previous topic :: View next topic  
Author Message
carlitto
Smarty n00b


Joined: 10 Oct 2019
Posts: 3

PostPosted: Thu Oct 10, 2019 6:45 am    Post subject: Direct access to php define variables Reply with quote

Hi,

I upgraded from Smarty 3.1.21 to 3.1.33

Apparently, if you have a php variable defined as follows :

define("myvar", "My var value");

It can be accessed in the template as {myvar}

Can we stop this behavior ? Is this standard smarty or something else is happening in the background ?

In our app we have a variable defined called "assign" which breaks the template code when the assign tag is used.

Thanks !
Back to top
View user's profile Send private message
bsmither
Smarty Elite


Joined: 20 Dec 2011
Posts: 322
Location: West Coast

PostPosted: Thu Oct 10, 2019 6:08 pm    Post subject: Reply with quote

I have replicated this.

I first investigated using namespaces but that seems to be far too involved to solve.

I then used the shortcut:
Code:
{$varName = expression}
which seemed to work.
Back to top
View user's profile Send private message
carlitto
Smarty n00b


Joined: 10 Oct 2019
Posts: 3

PostPosted: Thu Oct 10, 2019 6:57 pm    Post subject: Reply with quote

The shorthand for assign works indeed.

However, all other tags are evaluating to php constants (custom blocks, functions etc..)

Is there a setting to stop evaluating php constants this way?
Back to top
View user's profile Send private message
bsmither
Smarty Elite


Joined: 20 Dec 2011
Posts: 322
Location: West Coast

PostPosted: Thu Oct 10, 2019 8:36 pm    Post subject: Reply with quote

Just curious: Are you saying you have quite a few PHP constants using names of Smarty keywords?

If so, then the solution is to convince Smarty to not "see" these keywords as possible constants. Note: this is not the same as disallowing access to these constants.

That is, we can disallow access to constants. See:
https://www.smarty.net/docs/en/advanced.features.tpl#advanced.features.security
especially the allow_constants property, and see:
https://github.com/smarty-php/smarty/blob/master/NEW_FEATURES.txt
especially the trusted_constants parameter (line 260).

But, disallowing access to the constants still causes Smarty to throw an Exception announcing access has been denied -- the keyword not being 'bypassed' or 'ignored' as a constant but parsed as being a Smarty function.

So, no answer as yet.
Back to top
View user's profile Send private message
carlitto
Smarty n00b


Joined: 10 Oct 2019
Posts: 3

PostPosted: Fri Oct 11, 2019 4:47 am    Post subject: Reply with quote

Quote:
Just curious: Are you saying you have quite a few PHP constants using names of Smarty keywords?

For some reason, yes those constants are present and they do break with smarty. This only happens starting with v3.1.23


Quote:

That is, we can disallow access to constants. See:
https://www.smarty.net/docs/en/advanced.features.tpl#advanced.features.security
especially the allow_constants property, and see:
https://github.com/smarty-php/smarty/blob/master/NEW_FEATURES.txt
especially the trusted_constants parameter (line 260).


I've seen this part of the doc and they specifically indicate that the constants can be accessed using
Code:
$smarty.const.variable
but not directly.

I think there should be a way to not directly "see" these keywords as constants since anyone can break smarty by defining a php variable having the same smarty tag name (and the generated exception doesn't say much, it was hard to find). How can we convince smarty ? Smile Shall I post this on github?
Back to top
View user's profile Send private message
bsmither
Smarty Elite


Joined: 20 Dec 2011
Posts: 322
Location: West Coast

PostPosted: Fri Oct 11, 2019 7:01 am    Post subject: Reply with quote

It wouldn't hurt to post an issue in the Github.
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> General All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP