PageRenderTime 38ms CodeModel.GetById 16ms RepoModel.GetById 0ms app.codeStats 0ms

/external_lib/Smarty/sysplugins/smarty_internal_security_handler.php

https://github.com/modulargaming/kittokittokitto
PHP | 130 lines | 80 code | 5 blank | 45 comment | 29 complexity | e0c336e12f275b5aafa099f73209eeff MD5 | raw file
    

  1. <?php
    2. 

  2. /**
    3. 

  3. * Smarty Internal Plugin Security Handler
    4. 

  4. * 
    5. 

  5. * @package Smarty
    6. 

  6. * @subpackage Security
    7. 

  7. * @author Uwe Tews 
    8. 

  8. */
    9. 

  9. /**
    10. 

  10. * This class contains all methods for security checking
    11. 

  11. */
    12. 

  12. class Smarty_Internal_Security_Handler {
    13. 

  13.     function __construct($smarty)
    14. 

  14.     {
    15. 

  15.         $this->smarty = $smarty;
    16. 

  16.     } 
    17. 

  17.     /**
    18. 

  18.     * Check if PHP function is trusted.
    19. 

  19.     * 
    20. 

  20.     * @param string $function_name 
    21. 

  21.     * @param object $compiler compiler object
    22. 

  22.     * @return boolean true if function is trusted
    23. 

  23.     */
    24. 

  24.     function isTrustedPhpFunction($function_name, $compiler)
    25. 

  25.     {
    26. 

  26.         if (empty($this->smarty->security_policy->php_functions) || in_array($function_name, $this->smarty->security_policy->php_functions)) {
    27. 

  27.             return true;
    28. 

  28.         } else {
    29. 

  29.             $compiler->trigger_template_error ("PHP function \"" . $function_name . "\" not allowed by security setting");
    30. 

  30.             return false;
    31. 

  31.         } 
    32. 

  32.     } 
    33. 

  33. 

  34.     /**
    35. 

  35.     * Check if modifier is trusted.
    36. 

  36.     * 
    37. 

  37.     * @param string $modifier_name 
    38. 

  38.     * @param object $compiler compiler object
    39. 

  39.     * @return boolean true if modifier is trusted
    40. 

  40.     */
    41. 

  41.     function isTrustedModifier($modifier_name, $compiler)
    42. 

  42.     {
    43. 

  43.         if (empty($this->smarty->security_policy->modifiers) || in_array($modifier_name, $this->smarty->security_policy->modifiers)) {
    44. 

  44.             return true;
    45. 

  45.         } else {
    46. 

  46.             $compiler->trigger_template_error ("modifier \"" . $modifier_name . "\" not allowed by security setting");
    47. 

  47.             return false;
    48. 

  48.         } 
    49. 

  49.     } 
    50. 

  50.     /**
    51. 

  51.     * Check if stream is trusted.
    52. 

  52.     * 
    53. 

  53.     * @param string $stream_name 
    54. 

  54.     * @param object $compiler compiler object
    55. 

  55.     * @return boolean true if stream is trusted
    56. 

  56.     */
    57. 

  57.     function isTrustedStream($stream_name)
    58. 

  58.     {
    59. 

  59.         if (empty($this->smarty->security_policy->streams) || in_array($stream_name, $this->smarty->security_policy->streams)) {
    60. 

  60.             return true;
    61. 

  61.         } else {
    62. 

  62.             throw new Exception ("stream \"" . $stream_name . "\" not allowed by security setting");
    63. 

  63.             return false;
    64. 

  64.         } 
    65. 

  65.     } 
    66. 

  66. 

  67.     /**
    68. 

  68.     * Check if directory of file resource is trusted.
    69. 

  69.     * 
    70. 

  70.     * @param string $filepath 
    71. 

  71.     * @param object $compiler compiler object
    72. 

  72.     * @return boolean true if directory is trusted
    73. 

  73.     */
    74. 

  74.     function isTrustedResourceDir($filepath)
    75. 

  75.     {
    76. 

  76.         $_rp = realpath($filepath);
    77. 

  77.         if (isset($this->smarty->template_dir)) {
    78. 

  78.             foreach ((array)$this->smarty->template_dir as $curr_dir) {
    79. 

  79.                 if (($_cd = realpath($curr_dir)) !== false &&
    80. 

  80.                         strncmp($_rp, $_cd, strlen($_cd)) == 0 &&
    81. 

  81.                         (strlen($_rp) == strlen($_cd) || substr($_rp, strlen($_cd), 1) == DS)) {
    82. 

  82.                     return true;
    83. 

  83.                 } 
    84. 

  84.             } 
    85. 

  85.         } 
    86. 

  86.         if (!empty($this->smarty->security_policy->secure_dir)) {
    87. 

  87.             foreach ((array)$this->smarty->security_policy->secure_dir as $curr_dir) {
    88. 

  88.                 if (($_cd = realpath($curr_dir)) !== false) {
    89. 

  89.                     if ($_cd == $_rp) {
    90. 

  90.                         return true;
    91. 

  91.                     } elseif (strncmp($_rp, $_cd, strlen($_cd)) == 0 &&
    92. 

  92.                             (strlen($_rp) == strlen($_cd) || substr($_rp, strlen($_cd), 1) == DS)) {
    93. 

  93.                         return true;
    94. 

  94.                     } 
    95. 

  95.                 } 
    96. 

  96.             } 
    97. 

  97.         } 
    98. 

  98. 

  99.         throw new Exception ("directory \"" . $_rp . "\" not allowed by security setting");
    100. 

  100.         return false;
    101. 

  101.     } 
    102. 

  102.     /**
    103. 

  103.     * Check if directory of file resource is trusted.
    104. 

  104.     * 
    105. 

  105.     * @param string $filepath 
    106. 

  106.     * @param object $compiler compiler object
    107. 

  107.     * @return boolean true if directory is trusted
    108. 

  108.     */
    109. 

  109.     function isTrustedPHPDir($filepath)
    110. 

  110.     {
    111. 

  111.         $_rp = realpath($filepath);
    112. 

  112.         if (!empty($this->smarty->security_policy->trusted_dir)) {
    113. 

  113.             foreach ((array)$this->smarty->security_policy->trusted_dir as $curr_dir) {
    114. 

  114.                 if (($_cd = realpath($curr_dir)) !== false) {
    115. 

  115.                     if ($_cd == $_rp) {
    116. 

  116.                         return true;
    117. 

  117.                     } elseif (strncmp($_rp, $_cd, strlen($_cd)) == 0 &&
    118. 

  118.                             substr($_rp, strlen($_cd), 1) == DS) {
    119. 

  119.                         return true;
    120. 

  120.                     } 
    121. 

  121.                 } 
    122. 

  122.             } 
    123. 

  123.         } 
    124. 

  124. 

  125.         throw new Exception ("directory \"" . $_rp . "\" not allowed by security setting");
    126. 

  126.         return false;
    127. 

  127.     } 
    128. 

  128. } 
    129. 

  129. 

  130. ?>
    131. 

  131.