Smarty Forum Index Smarty
The discussions here are for Smarty, a template engine for the PHP programming language.

secure_dir and template_exists

 
Post new topic   Reply to topic    Smarty Forum Index -> Bugs
View previous topic :: View next topic  
Author Message
tifster
Smarty n00b


Joined: 04 Sep 2003
Posts: 2

PostPosted: Thu Sep 04, 2003 7:27 am    Post subject: secure_dir and template_exists Reply with quote

It appears that template_exists($file) doesn't implicitly include template_dir in the
secure_dir array. It looks like _is_secure() is where this should be implemented
but isn't.

It's conceivable that I'm doing something wrong, so I'll provide a bit more detail.
I have subclassed Smarty in order to set the parameters I want. I call the Smarty
constructor and then set template_dir to a directory, set security = true, etc. The
comments imply that I shouldn't have to set secure_dir if I just want it to include
the template_dir. Later I call template_exists($file) where $file is a filename that
does exist in the template_dir but it returns false. Investigation revealed that
the cause of this was _is_secure().

--tif
Back to top
View user's profile Send private message
boots
Administrator


Joined: 16 Apr 2003
Posts: 5611
Location: Toronto, Canada

PostPosted: Thu Sep 04, 2003 7:54 am    Post subject: Reply with quote

hi tifster,

The manual page for $security says that as well as other limitations imposed when $security = true :
Quote:
- templates can only be included from directories listed in the $secure_dir array

- local files can only be fetched from directories listed in the $secure_dir array using {fetch}

So yes, the paths must be specified in $secure_dir for Smarty to see them while operating under $security = true.

You can probably get away with something like:

$smarty->secure_dir = $smarty->template_dir;

in your constructor if you intend to set both (for example, if your app needs to switch between modes to handle both trusted and untrusted templates).

HTH
Back to top
View user's profile Send private message
messju
Administrator


Joined: 16 Apr 2003
Posts: 3336
Location: Oldenburg, Germany

PostPosted: Thu Sep 04, 2003 8:10 am    Post subject: Re: secure_dir and template_exists Reply with quote

tifster wrote:
The comments imply that I shouldn't have to set secure_dir if I just want it to include the template_dir.


what kind of comments and where?
Back to top
View user's profile Send private message Send e-mail Visit poster's website
tifster
Smarty n00b


Joined: 04 Sep 2003
Posts: 2

PostPosted: Thu Sep 04, 2003 10:39 am    Post subject: Re: secure_dir and template_exists Reply with quote

messju wrote:
tifster wrote:
The comments imply that I shouldn't have to set secure_dir if I just want it to include the template_dir.


what kind of comments and where?


In Smarty.class.php, just above $secure_dir = array(), it says "{@link $template_dir} is in this list
implicitly." Now that I've looked a little closer, fetch() adds $template_dir to $secure_dir, but it
is possible, and even logical, to ask if template_exists() before running fetch() or display().

--tif
Back to top
View user's profile Send private message
messju
Administrator


Joined: 16 Apr 2003
Posts: 3336
Location: Oldenburg, Germany

PostPosted: Thu Sep 04, 2003 10:56 am    Post subject: Reply with quote

i see. thanks for pointing this out. i will fix it.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
messju
Administrator


Joined: 16 Apr 2003
Posts: 3336
Location: Oldenburg, Germany

PostPosted: Sun Oct 12, 2003 10:21 pm    Post subject: Reply with quote

okay, it's fixed in CVS. template_exists() should work like fetch() now according to security=true and template_dir being automatically a "secure_dir".
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Smarty Forum Index -> Bugs All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP