PageRenderTime 41ms CodeModel.GetById 12ms RepoModel.GetById 0ms app.codeStats 0ms

/include/serendipity_smarty_class.inc.php

http://github.com/s9y/Serendipity
PHP | 292 lines | 119 code | 50 blank | 123 comment | 21 complexity | 64e8446be5afd375d313c9bb1e103801 MD5 | raw file
Possible License(s): BSD-3-Clause, LGPL-3.0, LGPL-2.1, MPL-2.0-no-copyleft-exception, Apache-2.0 
    

  1. <?php
    2. 

  2. // serendipity_smarty_class.inc.php lm 2014-12-10 Ian
    3. 

  3. 

  4. // define secure_dir and trusted_dirs for Serendipity_Smarty_Security_Policy class.
    5. 

  5. @define('S9Y_TEMPLATE_FALLBACK',    $serendipity['serendipityPath'] . $serendipity['templatePath'] . 'default');
    6. 

  6. @define('S9Y_TEMPLATE_USERDEFAULT', $serendipity['serendipityPath'] . $serendipity['templatePath'] . $serendipity['template']);
    7. 

  7. @define('S9Y_TEMPLATE_USERDEFAULT_BACKEND', $serendipity['serendipityPath'] . $serendipity['templatePath'] . $serendipity['template_backend']);
    8. 

  8. @define('S9Y_TEMPLATE_SECUREDIR',   $serendipity['serendipityPath'] . $serendipity['templatePath']);
    9. 

  9. 

  10. 

  11. // Create a wrapper class extended from Smarty_Security - which allows access to S9Y-plugin and S9Y-template dirs
    12. 

  12. class Serendipity_Smarty_Security_Policy extends Smarty_Security
    13. 

  13.   {
    14. 

  14.     // these are the allowed functions only. - default as is
    15. 

  15.     public $php_functions = array('isset', 'empty', 'count', 'sizeof', 'in_array', 'is_array', 'time', 'nl2br', 'class_exists', );
    16. 

  16.     // to disable all PHP functions
    17. 

  17.     #public $php_functions = null;
    18. 

  18. 

  19.     // remove PHP tags
    20. 

  20.     public $php_handling = Smarty::PHP_REMOVE; // = 2
    21. 

  21. 

  22.     // set allowed modifiers only. (default = array( 'escape', 'count' );)
    23. 

  23.     public $php_modifiers = array('escape', 'sprintf', 'sizeof', 'count', 'rand', 'print_r', 'str_repeat', 'nl2br', 'array_key_exists');
    24. 

  24. 

  25.     public $allow_constants = true;
    26. 

  26. 

  27.     public $allow_super_globals = true;
    28. 

  28. 

  29.     // array of template directories that are considered secure. No need, as ...TemplateDir concidered secure implicitly.  (unproofed)
    30. 

  30.     public $secure_dir = array(S9Y_TEMPLATE_SECUREDIR); // do we need this then?
    31. 

  31. 

  32.     // actually no need, as template dirs are explicit defined as trusted_dirs. (unproofed)
    33. 

  33.     public $trusted_dir = array(S9Y_TEMPLATE_USERDEFAULT, S9Y_TEMPLATE_USERDEFAULT_BACKEND, S9Y_TEMPLATE_FALLBACK); // do we need this then?
    34. 

  34. 

  35.     #public $modifiers = array(); // can be omitted, when all allowed
    36. 

  36. 

  37.     // to test this - overwrites Serendipity_Smarty::default_modifiers and Serendipity_Smarty_Security_Policy::php_modifiers - modifier 'escape' not allowed by security setting
    38. 

  38.     #public $allowed_modifiers = array('escape:"htmlall"');
    39. 

  39. 

  40.     // This allows the fetch() and include calls to pull .tpl files from any directory,
    41. 

  41.     // so that symlinked plugin directories outside the s9y path can be included properly.
    42. 

  42.     // TODO / FUTURE: If Smarty will implement a separation option to dissect fetch() from
    43. 

  43.     // {include} calls, we should only apply this workaround to fetch() calls.
    44. 

  44.     // Redirecting fetch() as our custom function is too risky and has too high a performance
    45. 

  45.     // impact.
    46. 

  46.     public function isTrustedResourceDir($path, $isConfig = NULL) {
    47. 

  47.         return true;
    48. 

  48.     }
    49. 

  49. 

  50.     public static function test()
    51. 

  51.       {
    52. 

  52.         var_dump(get_called_class());
    53. 

  53.       }
    54. 

  54.   }
    55. 

  55. 

  56. // Create a wrapper class extended from Smarty
    57. 

  57. class Serendipity_Smarty extends Smarty
    58. 

  58.   {
    59. 

  59.     // bc mode for plugins Smarty2 compat INCLUDE_ANY fetch() calls - to avoid an undefinied property error.
    60. 

  60.     public $security_settings = false;
    61. 

  61. 

  62. 

  63.     public function __set($name, $value) {
    64. 

  64.         if ($name == 'security') {
    65. 

  65.             if ($value) {
    66. 

  66.                  $this->enableSecurity('Serendipity_Smarty_Security_Policy');
    67. 

  67.             } else {
    68. 

  68.                  $this->disableSecurity();
    69. 

  69.             }
    70. 

  70.         } else {
    71. 

  71.             parent::__set($name, $value);
    72. 

  72.         }
    73. 

  73.     }
    74. 

  74. 

  75.     /**
    76. 

  76.      * It is often helpful to access the Smarty object from anywhere in your code, e.g in Plugins.
    77. 

  77.      * Enables the Smarty object by instance always. The singleton pattern ensures that there is only one instance of the object available.
    78. 

  78.      * To obtain an instance of this class use:
    79. 

  79.      * $serendipity['smarty'] = Serendipity_Smarty::getInstance();
    80. 

  80.      * The first time this is called a new instance will be created. Thereafter, the same instance is handed back.
    81. 

  81.      **/
    82. 

  82.     public static function getInstance($newInstance = null)
    83. 

  83.       {
    84. 

  84.         static $instance = null;
    85. 

  85.         if(isset($newInstance)) {
    86. 

  86.             $instance = $newInstance;
    87. 

  87.         }
    88. 

  88.         if ( $instance == null ) {
    89. 

  89.             $instance = new Serendipity_Smarty();
    90. 

  90.         }
    91. 

  91.         return $instance;
    92. 

  92.       }
    93. 

  93. 

  94.     public function __construct()
    95. 

  95.       {
    96. 

  96.         // Class Constructor. These automatically get set with each new instance.
    97. 

  97.         parent::__construct();
    98. 

  98. 

  99.         // call the objects initialization parameters
    100. 

  100.         self::setParams();
    101. 

  101.     }
    102. 

  102. 

  103.     // smarty (3.1.x) object main parameter setup
    104. 

  104.     private function setParams()
    105. 

  105.       {
    106. 

  106.         global $serendipity;
    107. 

  107. 

  108.         // some documentary from the smarty forum
    109. 

  109.         /*
    110. 

  110.            Addressing a specific $template_dir (see 3.1 release notes)
    111. 

    112. 

  112.            Smarty 3.1 introduces the $template_dir index notation.
    113. 

  113.            $smarty->fetch('[foo]bar.tpl') and {include file="[foo]bar.tpl"} require the template bar.tpl to be loaded from $template_dir['foo'];
    114. 

  114.            Smarty::setTemplateDir() and Smarty::addTemplateDir() offer ways to define indexes along with the actual directories.
    115. 

  115.         */
    116. 

  116. 

  117.         /*  +++++++++++++++++++++++++++++++++++++++++++
    118. 

  118.            Set all directory setters
    119. 

  119.            Smarty will always use the first template found in order of the given array. Move the least significant directory to the end.
    120. 

  120.         */
    121. 

  121. 

  122.         $template_engine = serendipity_get_config_var('template_engine');
    123. 

  123.         $template_dirs   = array();
    124. 

  124.         
    125. 

  125.         // first add template path
    126. 

  126.         $template_dirs[] = $serendipity['serendipityPath'] . $serendipity['templatePath'] . ($serendipity['template'] ?? null);
    127. 

  127.         // then fallback engines (which should never be a comma separated list)
    128. 

  128.         if ($template_engine) {
    129. 

  129.             $p = explode(',', $template_engine);
    130. 

  130.             foreach($p AS $te) {
    131. 

  131.                 $template_dirs[] = $serendipity['serendipityPath'] . $serendipity['templatePath'] . trim($te) . '/';
    132. 

  132.             }
    133. 

  133.         }
    134. 

  134.         $template_dirs[] = $serendipity['serendipityPath'] . $serendipity['templatePath'] . $serendipity['defaultTemplate'];
    135. 

  135.         $template_dirs[] = $serendipity['serendipityPath'] . $serendipity['templatePath'] . $serendipity['template_backend'];
    136. 

  136. 

  137.         // add secure dir to template path, in case engine did have entries
    138. 

  138.         if (S9Y_TEMPLATE_SECUREDIR != $serendipity['serendipityPath'] . $serendipity['templatePath']) {
    139. 

  139.             $template_dirs[] = S9Y_TEMPLATE_SECUREDIR;
    140. 

  140.         }
    141. 

  141. 

  142.         // disable plugin dir as added template dir is not advised, if set security is enabled (backend & frontend need access to fetch plugin templates)
    143. 

  143.         $template_dirs[] = $serendipity['serendipityPath'] . 'plugins';
    144. 

  144.         // add default template to addTemplate array, if not already set in engine
    145. 

  145.         $template_dirs[] = S9Y_TEMPLATE_FALLBACK;
    146. 

  146. 

  147.         $this->setTemplateDir($template_dirs);
    148. 

  148. 

  149.         if (defined('S9Y_DATA_PATH')) {
    150. 

  150.             $this->setCompileDir(S9Y_DATA_PATH . PATH_SMARTY_COMPILE);
    151. 

  151.         } else {
    152. 

  152.             $this->setCompileDir($serendipity['serendipityPath'] . PATH_SMARTY_COMPILE);
    153. 

  153.         }    
    154. 

  154. 

  155.         $this->setConfigDir(array(S9Y_TEMPLATE_USERDEFAULT));
    156. 

  156. 

  157.         if ( ( !is_dir($this->getCompileDir()) || !is_writable($this->getCompileDir()) ) && IS_installed === true) {
    158. 

  158.             if(ini_get('display_errors') == 0 || ini_get('display_errors') == 'off') printf(DIRECTORY_WRITE_ERROR, $this->getCompileDir());
    159. 

  159.             trigger_error(sprintf(DIRECTORY_WRITE_ERROR, $this->getCompileDir()), E_USER_ERROR);
    160. 

  160.         }
    161. 

  161. 

  162. 

  163.         /*
    164. 

  164.             here we go with our other Smarty class properties, which can all be called by their property name (recommended)
    165. 

  165.             $smarty->use_sub_dirs = true; or by $smarty->setUseSubDirs(true); and echo $smarty->getUseSubDirs();
    166. 

  166.             as the latter's would run through an internal __call() wrapper function.
    167. 

  167.             Note: rodneyrehm - From within the Smarty class context you can safely access properties like Smarty::$use_sub_dirs directly.
    168. 

  168.         */
    169. 

  169. 

  170. 

  171.         /*  +++++++++++++++++++++++++++++++++++
    172. 

  172.             Set Smarty caching - outsourced to README_SMARTY_CACHING_PURPOSES.txt
    173. 

  173.             Not usable in Serendipity with current template structure!
    174. 

  174.         */
    175. 

  175. 

  176.         /*  ++++++++++++++++++++++++++++++++++++++++++++++
    177. 

  177.             Set all other needed Smarty class properties
    178. 

  178.         */
    179. 

  179. 

  180.         #$this->merge_compiled_includes = true; // $this->setMergeCompiledIncludes(true);  // With this option the subtemplate code is stored together with the calling template.
    181. 

  181. 

  182.         // default here to be overwritten by $serendipity['production'] == 'debug' - see below!
    183. 

  183.         $this->debugging = false; // $this->setDebugging(false);
    184. 

  184. 

  185.         // Smarty will create subdirectories under the compiled templates and cache directories if $use_sub_dirs is set to TRUE, default is FALSE.
    186. 

  186.         $this->use_sub_dirs = ( ini_get('safe_mode') ? false : true ); // $this->setUseSubDirs(false); // cache and compile dir only
    187. 

  187. 

  188.         // Smarty should update the cache files automatically if $smarty->compile_check is true.
    189. 

  189.         $this->compile_check = true; // $this->setCompileCheck(true);
    190. 

  190.             #$this->compile_check = COMPILECHECK_OFF (false) - template files will not be checked
    191. 

  191.             #$this->compile_check = COMPILECHECK_ON (true)   - template files will always be checked
    192. 

  192.             #$this->compile_check = COMPILECHECK_CACHEMISS   - template files will be checked, if caching is enabled and there is no existing cache file, or it has expired
    193. 

  193.         /*
    194. 

  194.             Note: rodneyrehm
    195. 

  195.             If you actually manage to build a page from a single template (with inclusions and plugins and stuff)
    196. 

  196.             in a way that allows smarty to do 304 handling - or implement the serve-stale-while-update approach,
    197. 

  197.             you should go with CACHEMISS.
    198. 

  198.         */
    199. 

  199.         $this->compile_id    = &$serendipity['template']; // $this->setCompileId(&$serendipity['template'])
    200. 

  200.         /*
    201. 

  201.             Note: rodneyrehm
    202. 

  202.             Please only specify the compile_id if you really need to.
    203. 

  203.             That means if you pre-process templates for say internationalization.
    204. 

  204.             Otherwise you don't need this and are better off ignoring it (performance-wise).
    205. 

  205.         */
    206. 

  206.         $this->config_overwrite = true; // $this->setConfigOverwrite(true);
    207. 

  207. 

  208.         // production == debug extends from s9y version information (alpha|beta|cvs) is always debug | USE ===
    209. 

  209.         if ($serendipity['production'] === 'debug') {
    210. 

  210.             $this->force_compile   = true;   // $this->setForceCompile(true);
    211. 

  211.             $this->caching         = false;  // $this->setCaching(false);
    212. 

  212.             $this->debugging       = true;   // $this->setDebugging(true);
    213. 

  213.         }
    214. 

  214. 

  215.         // set smarty error reporting. General error_reporting is set in serendipity/serendipity_config.inc.php
    216. 

  216.         $this->error_reporting = E_ALL & ~(E_NOTICE|E_STRICT);
    217. 

  217. 

  218.         // we use our own error_handler and get in conflicts with smarty?
    219. 

  219.         // $this->muteExpectedErrors();
    220. 

  220.     }
    221. 

  221. 

  222.     /*
    223. 

  223.         Note: Ian
    224. 

  224.         These BC methods are to be kept as long as not converted to new syntax in additional plugins
    225. 

  225.         Search "$serendipity['smarty']->register_" (11 hits in 6 files) in additional_plugins
    226. 

  226.         serendipity_event_communityrating.php, serendipity_event_customarchive.php, serendipity_event_microformats.php,
    227. 

  227.         serendipity_event_multilingual.php, serendipity_event_smartymarkup.php, serendipity_event_staticpage.php
    228. 

  228.     */
    229. 

  229. 

  230.     /**
    231. 

  231.      * Registers custom function to be used in templates - BC mode Smarty 2 -> 3
    232. 

  232.      *
    233. 

  233.      * @param string $function      the name of the template function
    234. 

  234.      * @param string $function_impl the name of the PHP function to register
    235. 

  235.      * @param bool   $cacheable
    236. 

  236.      * @param mixed  $cache_attrs
    237. 

  237.      */
    238. 

  238.     public function register_function($function, $function_impl, $cacheable=true, $cache_attrs=null)
    239. 

  239.      {
    240. 

  240.         $this->registerPlugin('function', $function, $function_impl, $cacheable, $cache_attrs);
    241. 

  241.      }
    242. 

  242. 

  243.     /**
    244. 

  244.      * Registers modifier to be used in templates - BC mode Smarty 2 -> 3
    245. 

  245.      *
    246. 

  246.      * @param string $modifier name of template modifier
    247. 

  247.      * @param string $modifier_impl name of PHP function to register
    248. 

  248.      */
    249. 

  249.     public function register_modifier($modifier, $modifier_impl)
    250. 

  250.      {
    251. 

  251.         $this->registerPlugin('modifier', $modifier, $modifier_impl);
    252. 

  252.      }
    253. 

  253. 

  254.     /**
    255. 

  255.      * Registers a resource to fetch a template - BC mode Smarty 2 -> 3
    256. 

  256.      *
    257. 

  257.      * @param string $type      name of resource
    258. 

  258.      * @param array  $functions array of functions to handle resource
    259. 

  259.      */
    260. 

  260.     public function register_resource($type, $functions)
    261. 

  261.      {
    262. 

  262.         $this->registerResource($type, $functions);
    263. 

  263.      }
    264. 

  264. 

  265.     /**
    266. 

  266.      * wrapper for assign_by_ref - BC mode Smarty 2 -> 3 (Serendipity core uses assignByRef already - and nearly no occurrences in additional plugins)
    267. 

  267.      *
    268. 

  268.      * @param string $tpl_var the template variable name
    269. 

  269.      * @param mixed  &$value  the referenced value to assign
    270. 

  270.      */
    271. 

  271.     public function assign_by_ref($tpl_var, &$value)
    272. 

  272.     {
    273. 

  273.         $this->assignByRef($tpl_var, $value);
    274. 

  274.     }
    275. 

  275. 

  276.     /**
    277. 

  277.      * Returns an array containing template variables- BC mode Smarty 2 -> 3
    278. 

  278.      *
    279. 

  279.      * @param string $name
    280. 

  280.      * @return array
    281. 

  281.      */
    282. 

  282.     public function get_template_vars($name=null)
    283. 

  283.     {
    284. 

  284.         return $this->getTemplateVars($name);
    285. 

  285.     }
    286. 

  286. 

  287.     public static function test()
    288. 

  288.       {
    289. 

  289.         var_dump(get_called_class());
    290. 

  290.       }
    291. 

  291.   }
    292. 

  292. 

  293.