Beispiel #1
0
 /**
  * needs a proper description
  * @param Smarty $smarty
  */
 function __construct($smarty)
 {
     if (class_exists("TikiLib")) {
         $tikilib = TikiLib::lib('tiki');
     }
     parent::__construct($smarty);
     $functions = array();
     $modifiers = array();
     $dirs = array();
     //With phpunit and command line these don't exist yet for some reason
     if (isset($tikilib) && method_exists($tikilib, "get_preference")) {
         $functions = array_filter($tikilib->get_preference('smarty_security_functions', array(), true));
         $modifiers = array_filter($tikilib->get_preference('smarty_security_modifiers', array(), true));
         $dirs = array_filter($tikilib->get_preference('smarty_security_dirs', array(), true));
         $cdns = preg_split('/\\s+/', $tikilib->get_preference('tiki_cdn', ''));
         $cdns_ssl = preg_split('/\\s+/', $tikilib->get_preference('tiki_cdn_ssl', ''));
         $cdn_uri = array_filter(array_merge($cdns, $cdns_ssl));
         foreach ($cdn_uri as $uri) {
             $this->trusted_uri[] = '#' . preg_quote($uri) . '$#';
         }
     }
     $functions = isset($functions) ? $functions : array();
     $modifiers = isset($modifiers) ? $modifiers : array();
     $this->php_modifiers = array_merge(array('nl2br', 'escape', 'count', 'addslashes', 'ucfirst', 'ucwords', 'urlencode', 'md5', 'implode', 'explode', 'is_array', 'htmlentities', 'var_dump', 'strip_tags', 'json_encode', 'stristr', 'tra'), $modifiers);
     $this->php_functions = array_merge(array('isset', 'empty', 'count', 'sizeof', 'in_array', 'is_array', 'time', 'nl2br', 'tra', 'strlen', 'strstr', 'strtolower', 'basename', 'ereg', 'array_key_exists', 'preg_match', 'json_encode', 'stristr', 'is_numeric', 'array', 'zone_is_empty'), $functions);
     $this->secure_dir = array_merge($this->secure_dir, $dirs);
 }
 public function __construct($smarty)
 {
     parent::__construct($smarty);
     $config = cmsms()->GetConfig();
     $this->allow_php_tag = $config['use_smarty_php_tags'];
     $this->php_functions = array('isset', 'empty', 'count', 'sizeof', 'in_array', 'is_array', 'time', 'lang', 'nl2br', 'file_exists', 'is_string', 'is_object', 'is_file', 'print_r', 'var_dump', 'htmlspecialchars', 'htmlspecialchars_decode');
 }
Beispiel #3
0
 public function __construct($smarty)
 {
     parent::__construct($smarty);
     $this->secure_dir = array(OW_DIR_THEME, OW_DIR_SYSTEM_PLUGIN, OW_DIR_PLUGIN);
     $this->php_functions = array('array', 'list', 'isset', 'empty', 'count', 'sizeof', 'in_array', 'is_array', 'true', 'false', 'null', 'strstr');
     $this->php_modifiers = array('count');
     $this->allow_constants = false;
     $this->allow_super_globals = false;
     $this->static_classes = null;
 }
Beispiel #4
0
 /**
  * Loads security class and enables security
  *
  * @param  string|Smarty_Security $security_class if a string is used, it must be class-name
  *
  * @return Smarty                 current Smarty instance for chaining
  * @throws SmartyException        when an invalid class name is provided
  */
 public function enableSecurity($security_class = null)
 {
     Smarty_Security::enableSecurity($this, $security_class);
     return $this;
 }
 function yy_r110()
 {
     if (!in_array(strtolower($this->yystack[$this->yyidx + -2]->minor), array('self', 'parent')) && (!$this->security || $this->security->isTrustedStaticClassAccess($this->yystack[$this->yyidx + -2]->minor, $this->yystack[$this->yyidx + 0]->minor, $this->compiler))) {
         if (isset($this->smarty->registered_classes[$this->yystack[$this->yyidx + -2]->minor])) {
             $this->_retvalue = $this->smarty->registered_classes[$this->yystack[$this->yyidx + -2]->minor] . '::' . $this->yystack[$this->yyidx + 0]->minor[0] . $this->yystack[$this->yyidx + 0]->minor[1];
         } else {
             $this->_retvalue = $this->yystack[$this->yyidx + -2]->minor . '::' . $this->yystack[$this->yyidx + 0]->minor[0] . $this->yystack[$this->yyidx + 0]->minor[1];
         }
     } else {
         $this->compiler->trigger_template_error("static class '" . $this->yystack[$this->yyidx + -2]->minor . "' is undefined or not allowed by security setting");
     }
 }
 function yy_r155()
 {
     if (!$this->security || $this->security->isTrustedPhpFunction($this->yystack[$this->yyidx + -3]->minor, $this->compiler)) {
         if (strcasecmp($this->yystack[$this->yyidx + -3]->minor, 'isset') === 0 || strcasecmp($this->yystack[$this->yyidx + -3]->minor, 'empty') === 0 || strcasecmp($this->yystack[$this->yyidx + -3]->minor, 'array') === 0 || is_callable($this->yystack[$this->yyidx + -3]->minor)) {
             $func_name = strtolower($this->yystack[$this->yyidx + -3]->minor);
             if ($func_name == 'isset') {
                 if (count($this->yystack[$this->yyidx + -1]->minor) == 0) {
                     $this->compiler->trigger_template_error('Illegal number of paramer in "isset()"');
                 }
                 $par = implode(',', $this->yystack[$this->yyidx + -1]->minor);
                 if (strncasecmp($par, '$_smarty_tpl->smarty->ext->_config->_getConfigVariable', strlen('$_smarty_tpl->smarty->ext->_config->_getConfigVariable')) === 0) {
                     $prefixVar = $this->compiler->getNewPrefixVariable();
                     $this->compiler->appendPrefixCode("<?php {$prefixVar}" . '=' . str_replace(')', ', false)', $par) . ';?>');
                     $isset_par = $prefixVar;
                 } else {
                     $isset_par = str_replace("')->value", "',null,true,false)->value", $par);
                 }
                 $this->_retvalue = $this->yystack[$this->yyidx + -3]->minor . "(" . $isset_par . ")";
             } elseif (in_array($func_name, array('empty', 'reset', 'current', 'end', 'prev', 'next'))) {
                 if (count($this->yystack[$this->yyidx + -1]->minor) != 1) {
                     $this->compiler->trigger_template_error('Illegal number of paramer in "empty()"');
                 }
                 if ($func_name == 'empty') {
                     $this->_retvalue = $func_name . '(' . str_replace("')->value", "',null,true,false)->value", $this->yystack[$this->yyidx + -1]->minor[0]) . ')';
                 } else {
                     $this->_retvalue = $func_name . '(' . $this->yystack[$this->yyidx + -1]->minor[0] . ')';
                 }
             } else {
                 $this->_retvalue = $this->yystack[$this->yyidx + -3]->minor . "(" . implode(',', $this->yystack[$this->yyidx + -1]->minor) . ")";
             }
         } else {
             $this->compiler->trigger_template_error("unknown function \"" . $this->yystack[$this->yyidx + -3]->minor . "\"");
         }
     }
 }
 function yy_r64()
 {
     if (defined($this->yystack[$this->yyidx + 0]->minor)) {
         if ($this->security) {
             $this->security->isTrustedConstant($this->yystack[$this->yyidx + 0]->minor, $this->compiler);
         }
         $this->_retvalue = [$this->yystack[$this->yyidx + -2]->minor => $this->yystack[$this->yyidx + 0]->minor];
     } else {
         $this->_retvalue = [$this->yystack[$this->yyidx + -2]->minor => '\'' . $this->yystack[$this->yyidx + 0]->minor . '\''];
     }
 }
Beispiel #8
0
 public function __construct($smarty)
 {
     parent::__construct($smarty);
     $this->secure_dir[] = dirname(__FILE__);
 }