К новейшей редакции | Содержимое файла | Последнее изменение | Открыть журнал | RSS
Редакция | Автор | № строки | Строка |
---|---|---|---|
304 | alex-w | 1 | <?php |
2 | /** |
||
3 | * Smarty Internal Plugin Security Handler |
||
4 | * |
||
5 | * @package Smarty |
||
6 | * @subpackage Security |
||
7 | * @author Uwe Tews |
||
8 | */ |
||
9 | /** |
||
10 | * This class contains all methods for security checking |
||
11 | */ |
||
12 | class Smarty_Internal_Security_Handler { |
||
13 | function __construct($smarty) |
||
14 | { |
||
15 | $this->smarty = $smarty; |
||
16 | } |
||
17 | /** |
||
18 | * Check if PHP function is trusted. |
||
19 | * |
||
20 | * @param string $function_name |
||
21 | * @param object $compiler compiler object |
||
22 | * @return boolean true if function is trusted |
||
23 | */ |
||
24 | function isTrustedPhpFunction($function_name, $compiler) |
||
25 | { |
||
26 | if (empty($this->smarty->security_policy->php_functions) || in_array($function_name, $this->smarty->security_policy->php_functions)) { |
||
27 | return true; |
||
28 | } else { |
||
29 | $compiler->trigger_template_error ("PHP function \"" . $function_name . "\" not allowed by security setting"); |
||
30 | return false; |
||
31 | } |
||
32 | } |
||
33 | |||
34 | /** |
||
35 | * Check if modifier is trusted. |
||
36 | * |
||
37 | * @param string $modifier_name |
||
38 | * @param object $compiler compiler object |
||
39 | * @return boolean true if modifier is trusted |
||
40 | */ |
||
41 | function isTrustedModifier($modifier_name, $compiler) |
||
42 | { |
||
43 | if (empty($this->smarty->security_policy->modifiers) || in_array($modifier_name, $this->smarty->security_policy->modifiers)) { |
||
44 | return true; |
||
45 | } else { |
||
46 | $compiler->trigger_template_error ("modifier \"" . $modifier_name . "\" not allowed by security setting"); |
||
47 | return false; |
||
48 | } |
||
49 | } |
||
50 | /** |
||
51 | * Check if stream is trusted. |
||
52 | * |
||
53 | * @param string $stream_name |
||
54 | * @param object $compiler compiler object |
||
55 | * @return boolean true if stream is trusted |
||
56 | */ |
||
57 | function isTrustedStream($stream_name) |
||
58 | { |
||
59 | if (empty($this->smarty->security_policy->streams) || in_array($stream_name, $this->smarty->security_policy->streams)) { |
||
60 | return true; |
||
61 | } else { |
||
62 | throw new Exception ("stream \"" . $stream_name . "\" not allowed by security setting"); |
||
63 | return false; |
||
64 | } |
||
65 | } |
||
66 | |||
67 | /** |
||
68 | * Check if directory of file resource is trusted. |
||
69 | * |
||
70 | * @param string $filepath |
||
71 | * @param object $compiler compiler object |
||
72 | * @return boolean true if directory is trusted |
||
73 | */ |
||
74 | function isTrustedResourceDir($filepath) |
||
75 | { |
||
76 | $_rp = realpath($filepath); |
||
77 | if (isset($this->smarty->template_dir)) { |
||
78 | foreach ((array)$this->smarty->template_dir as $curr_dir) { |
||
79 | if (($_cd = realpath($curr_dir)) !== false && |
||
80 | strncmp($_rp, $_cd, strlen($_cd)) == 0 && |
||
81 | (strlen($_rp) == strlen($_cd) || substr($_rp, strlen($_cd), 1) == DS)) { |
||
82 | return true; |
||
83 | } |
||
84 | } |
||
85 | } |
||
86 | if (!empty($this->smarty->security_policy->secure_dir)) { |
||
87 | foreach ((array)$this->smarty->security_policy->secure_dir as $curr_dir) { |
||
88 | if (($_cd = realpath($curr_dir)) !== false) { |
||
89 | if ($_cd == $_rp) { |
||
90 | return true; |
||
91 | } elseif (strncmp($_rp, $_cd, strlen($_cd)) == 0 && |
||
92 | (strlen($_rp) == strlen($_cd) || substr($_rp, strlen($_cd), 1) == DS)) { |
||
93 | return true; |
||
94 | } |
||
95 | } |
||
96 | } |
||
97 | } |
||
98 | |||
99 | throw new Exception ("directory \"" . $_rp . "\" not allowed by security setting"); |
||
100 | return false; |
||
101 | } |
||
102 | /** |
||
103 | * Check if directory of file resource is trusted. |
||
104 | * |
||
105 | * @param string $filepath |
||
106 | * @param object $compiler compiler object |
||
107 | * @return boolean true if directory is trusted |
||
108 | */ |
||
109 | function isTrustedPHPDir($filepath) |
||
110 | { |
||
111 | $_rp = realpath($filepath); |
||
112 | if (!empty($this->smarty->security_policy->trusted_dir)) { |
||
113 | foreach ((array)$this->smarty->security_policy->trusted_dir as $curr_dir) { |
||
114 | if (($_cd = realpath($curr_dir)) !== false) { |
||
115 | if ($_cd == $_rp) { |
||
116 | return true; |
||
117 | } elseif (strncmp($_rp, $_cd, strlen($_cd)) == 0 && |
||
118 | substr($_rp, strlen($_cd), 1) == DS) { |
||
119 | return true; |
||
120 | } |
||
121 | } |
||
122 | } |
||
123 | } |
||
124 | |||
125 | throw new Exception ("directory \"" . $_rp . "\" not allowed by security setting"); |
||
126 | return false; |
||
127 | } |
||
128 | } |
||
129 | |||
130 | ?> |