首页 发现 帮助
登录
Ceata
/
sondaje
关注 2
点赞 0
派生 0
文件 工单管理 0 合并请求 0 Wiki
目录树: 8bef301993
分支列表 标签列表
sondaje
/
smarty
/
sysplugins
/
smarty_internal_security_handler.php

smarty_internal_security_handler.php 4.9 KB
文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146 
  1. <?php
    2. 

  2. /**
    3. 

  3. * Smarty Internal Plugin Security Handler
    4. 

  4. * 
    5. 

  5. * @package Smarty
    6. 

  6. * @subpackage Security
    7. 

  7. * @author Uwe Tews 
    8. 

  8. */
    9. 

  9. /**
    10. 

  10. * This class contains all methods for security checking
    11. 

  11. */
    12. 

  12. class Smarty_Internal_Security_Handler {
    13. 

  13.     function __construct($smarty)
    14. 

  14.     {
    15. 

  15.         $this->smarty = $smarty;
    16. 

  16.     } 
    17. 

  17.     /**
    18. 

  18.     * Check if PHP function is trusted.
    19. 

  19.     * 
    20. 

  20.     * @param string $function_name 
    21. 

  21.     * @param object $compiler compiler object
    22. 

  22.     * @return boolean true if function is trusted
    23. 

  23.     */
    24. 

  24.     function isTrustedPhpFunction($function_name, $compiler)
    25. 

  25.     {
    26. 

  26.         if (empty($this->smarty->security_policy->php_functions) || in_array($function_name, $this->smarty->security_policy->php_functions)) {
    27. 

  27.             return true;
    28. 

  28.         } else {
    29. 

  29.             $compiler->trigger_template_error ("PHP function '{$function_name}' not allowed by security setting");
    30. 

  30.             return false;
    31. 

  31.         } 
    32. 

  32.     } 
    33. 

  33. 

  34.     /**
    35. 

  35.     * Check if static class is trusted.
    36. 

  36.     * 
    37. 

  37.     * @param string $class_name 
    38. 

  38.     * @param object $compiler compiler object
    39. 

  39.     * @return boolean true if class is trusted
    40. 

  40.     */
    41. 

  41.     function isTrustedStaticClass($class_name, $compiler)
    42. 

  42.     {
    43. 

  43.         if (empty($this->smarty->security_policy->static_classes) || in_array($class_name, $this->smarty->security_policy->static_classes)) {
    44. 

  44.             return true;
    45. 

  45.         } else {
    46. 

  46.             $compiler->trigger_template_error ("access to static class '{$class_name}' not allowed by security setting");
    47. 

  47.             return false;
    48. 

  48.         } 
    49. 

  49.     } 
    50. 

  50.     /**
    51. 

  51.     * Check if modifier is trusted.
    52. 

  52.     * 
    53. 

  53.     * @param string $modifier_name 
    54. 

  54.     * @param object $compiler compiler object
    55. 

  55.     * @return boolean true if modifier is trusted
    56. 

  56.     */
    57. 

  57.     function isTrustedModifier($modifier_name, $compiler)
    58. 

  58.     {
    59. 

  59.         if (empty($this->smarty->security_policy->modifiers) || in_array($modifier_name, $this->smarty->security_policy->modifiers)) {
    60. 

  60.             return true;
    61. 

  61.         } else {
    62. 

  62.             $compiler->trigger_template_error ("modifier '{$modifier_name}' not allowed by security setting");
    63. 

  63.             return false;
    64. 

  64.         } 
    65. 

  65.     } 
    66. 

  66.     /**
    67. 

  67.     * Check if stream is trusted.
    68. 

  68.     * 
    69. 

  69.     * @param string $stream_name 
    70. 

  70.     * @param object $compiler compiler object
    71. 

  71.     * @return boolean true if stream is trusted
    72. 

  72.     */
    73. 

  73.     function isTrustedStream($stream_name)
    74. 

  74.     {
    75. 

  75.         if (empty($this->smarty->security_policy->streams) || in_array($stream_name, $this->smarty->security_policy->streams)) {
    76. 

  76.             return true;
    77. 

  77.         } else {
    78. 

  78.             throw new Exception ("stream '{$stream_name}' not allowed by security setting");
    79. 

  79.             return false;
    80. 

  80.         } 
    81. 

  81.     } 
    82. 

  82. 

  83.     /**
    84. 

  84.     * Check if directory of file resource is trusted.
    85. 

  85.     * 
    86. 

  86.     * @param string $filepath 
    87. 

  87.     * @param object $compiler compiler object
    88. 

  88.     * @return boolean true if directory is trusted
    89. 

  89.     */
    90. 

  90.     function isTrustedResourceDir($filepath)
    91. 

  91.     {
    92. 

  92.         $_rp = realpath($filepath);
    93. 

  93.         if (isset($this->smarty->template_dir)) {
    94. 

  94.             foreach ((array)$this->smarty->template_dir as $curr_dir) {
    95. 

  95.                 if (($_cd = realpath($curr_dir)) !== false &&
    96. 

  96.                         strncmp($_rp, $_cd, strlen($_cd)) == 0 &&
    97. 

  97.                         (strlen($_rp) == strlen($_cd) || substr($_rp, strlen($_cd), 1) == DS)) {
    98. 

  98.                     return true;
    99. 

  99.                 } 
    100. 

  100.             } 
    101. 

  101.         } 
    102. 

  102.         if (!empty($this->smarty->security_policy->secure_dir)) {
    103. 

  103.             foreach ((array)$this->smarty->security_policy->secure_dir as $curr_dir) {
    104. 

  104.                 if (($_cd = realpath($curr_dir)) !== false) {
    105. 

  105.                     if ($_cd == $_rp) {
    106. 

  106.                         return true;
    107. 

  107.                     } elseif (strncmp($_rp, $_cd, strlen($_cd)) == 0 &&
    108. 

  108.                             (strlen($_rp) == strlen($_cd) || substr($_rp, strlen($_cd), 1) == DS)) {
    109. 

  109.                         return true;
    110. 

  110.                     } 
    111. 

  111.                 } 
    112. 

  112.             } 
    113. 

  113.         } 
    114. 

  114. 

  115.         throw new Exception ("directory '{$_rp}' not allowed by security setting");
    116. 

  116.         return false;
    117. 

  117.     } 
    118. 

  118.     /**
    119. 

  119.     * Check if directory of file resource is trusted.
    120. 

  120.     * 
    121. 

  121.     * @param string $filepath 
    122. 

  122.     * @param object $compiler compiler object
    123. 

  123.     * @return boolean true if directory is trusted
    124. 

  124.     */
    125. 

  125.     function isTrustedPHPDir($filepath)
    126. 

  126.     {
    127. 

  127.         $_rp = realpath($filepath);
    128. 

  128.         if (!empty($this->smarty->security_policy->trusted_dir)) {
    129. 

  129.             foreach ((array)$this->smarty->security_policy->trusted_dir as $curr_dir) {
    130. 

  130.                 if (($_cd = realpath($curr_dir)) !== false) {
    131. 

  131.                     if ($_cd == $_rp) {
    132. 

  132.                         return true;
    133. 

  133.                     } elseif (strncmp($_rp, $_cd, strlen($_cd)) == 0 &&
    134. 

  134.                             substr($_rp, strlen($_cd), 1) == DS) {
    135. 

  135.                         return true;
    136. 

  136.                     } 
    137. 

  137.                 } 
    138. 

  138.             } 
    139. 

  139.         } 
    140. 

  140. 

  141.         throw new Exception ("directory '{$_rp}' not allowed by security setting");
    142. 

  142.         return false;
    143. 

  143.     } 
    144. 

  144. } 
    145. 

  145. 

  146. ?>
    147.