|
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
View previous topic :: View next topic |
Author |
Message |
bluetooth Smarty n00b
Joined: 02 Jan 2004 Posts: 1
|
Posted: Fri Jan 02, 2004 7:32 pm Post subject: Default Template Handler Security |
|
|
It seems that if you use a default template handler and security for template dirs is on, security check always fails (because the system checks to see if the template file exists in one of the secure locations, but since the default template handler generates it, the files doesn't exist in any location).
My workaround is to assume that anything provided by the default template handler is secure.
Changes were made in Smarty.class.php [version 2.6.0] in function _fetch_resource_info(&$params) [line 1565]
Code: |
/**
* fetch the template info. Gets timestamp, and source
* if get_source is true
*
* sets $source_content to the source of the template, and
* $resource_timestamp to its time stamp
* @param string $resource_name
* @param string $source_content
* @param integer $resource_timestamp
* @param boolean $get_source
* @param boolean $quiet
* @return boolean
*/
function _fetch_resource_info(&$params)
{
if(!isset($params['get_source'])) { $params['get_source'] = true; }
if(!isset($params['quiet'])) { $params['quiet'] = false; }
$_return = false;
$_default = false;
$_params = array('resource_name' => $params['resource_name']) ;
if (isset($params['resource_base_path']))
$_params['resource_base_path'] = $params['resource_base_path'];
if ($this->_parse_resource_name($_params)) {
$_resource_type = $_params['resource_type'];
$_resource_name = $_params['resource_name'];
switch ($_resource_type) {
case 'file':
if ($params['get_source']) {
$params['source_content'] = $this->_read_file($_resource_name);
}
$params['resource_timestamp'] = filemtime($_resource_name);
$_return = is_file($_resource_name);
break;
default:
// call resource functions to fetch the template source and timestamp
if ($params['get_source']) {
$_source_return = isset($this->_plugins['resource'][$_resource_type]) &&
call_user_func_array($this->_plugins['resource'][$_resource_type][0][0],
array($_resource_name, &$params['source_content'], &$this));
} else {
$_source_return = true;
}
$_timestamp_return = isset($this->_plugins['resource'][$_resource_type]) &&
call_user_func_array($this->_plugins['resource'][$_resource_type][0][1],
array($_resource_name, &$params['resource_timestamp'], &$this));
$_return = $_source_return && $_timestamp_return;
break;
}
}
if (!$_return) {
// see if we can get a template with the default template handler
if (!empty($this->default_template_handler_func)) {
if (!is_callable($this->default_template_handler_func)) {
$this->trigger_error("default template handler function \"$this->default_template_handler_func\" doesn't exist.");
} else {
$_return = call_user_func_array(
$this->default_template_handler_func,
array($_params['resource_type'], $_params['resource_name'], &$params['source_content'], &$params['resource_timestamp'], &$this));
if ($_return) {
$_default = true;
}
}
}
}
if (!$_return) {
if (!$params['quiet']) {
$this->trigger_error('unable to read resource: "' . $params['resource_name'] . '"');
}
} else if ($_return && $this->security && !$_default) {
require_once(SMARTY_DIR . 'core' . DIRECTORY_SEPARATOR . 'core.is_secure.php');
if (!smarty_core_is_secure($_params, $this)) {
if (!$params['quiet'])
$this->trigger_error('(secure mode) accessing "' . $params['resource_name'] . '" is not allowed');
$params['source_content'] = null;
$params['resource_timestamp'] = null;
return false;
}
}
return $_return;
}
|
I'm not sure if this is the best / most secure way to work around this. |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|