/**
* analyze allowed php tokens in template
*
*/
private function analyze(&$template)
{
$code_is_valide = TRUE;
include_once SMART_BASE_DIR . "smart/includes/phpca/PHPCodeAnalyzer.php";
$analyzer = new PHPCodeAnalyzer();
$analyzer->source = file_get_contents($template);
$analyzer->analyze();
foreach ($analyzer->calledConstructs as $key => $val) {
if (!in_array($key, $this->config['allowedConstructs'])) {
$this->disallowedItems[] = $key;
$code_is_valide = FALSE;
}
}
return $code_is_valide;
}
/**
* analyze allowed php tokens in view
*
*/
private function analyze(&$view)
{
$code_is_valide = true;
include_once JAPA_LIBRARY_DIR . "japa/phpca/PHPCodeAnalyzer.php";
$analyzer = new PHPCodeAnalyzer();
$analyzer->source = file_get_contents($view);
$analyzer->analyze();
$_allowedConstructs = $this->config->getVar('allowedConstructs');
foreach ($analyzer->calledConstructs as $key => $val) {
if (!in_array($key, $_allowedConstructs)) {
$this->disallowedItems[] = $key;
$code_is_valide = false;
}
}
$_disallowedVariables = $this->model->config->getVar('disallowedVariables');
foreach ($analyzer->usedVariables as $key => $val) {
if (in_array($key, $_disallowedVariables)) {
$this->disallowedItems[] = $key;
$code_is_valide = false;
}
}
return $code_is_valide;
}
function _assertForValidTemplate()
{
$_invalid = array();
$_errors = array();
$_protedted_types = array('constructs', 'variables', 'functions', 'classes', 'methods');
require_once AK_CONTRIB_DIR . DS . 'PHPCodeAnalyzer' . DS . 'PHPCodeAnalyzer.php';
$_analyzer = new PHPCodeAnalyzer();
$_analyzer->source = '?>' . $this->_options['code'] . '<?php';
$_analyzer->analyze();
//echo '<pre>'.print_r($_analyzer, true).'</pre>';
if (strstr($this->_options['code'], '${')) {
$_errors[] = Ak::t('You can\'t use ${ within templates');
}
if (!empty($_analyzer->createdClasses)) {
$_errors[] = Ak::t('You can\'t create classes within templates');
}
if (!empty($_analyzer->createdFunctions)) {
$_errors[] = Ak::t('You can\'t create functions within templates');
}
if (!empty($_analyzer->filesIncluded)) {
$_errors[] = Ak::t('You can\'t include files within templates using PHP include or require please use $this->render() instead');
}
if (!empty($_analyzer->classesInstantiated)) {
$_errors[] = Ak::t('You can\'t instantiate classes within templates');
}
$_add_dollar_function = create_function('&$_var', 'if($_var[0] != "$") $_var = "$".$_var;');
$_is_private_var = create_function('$_var', 'return $_var[1]==="_";');
$_forbidden['variables'] = empty($this->_options['forbidden_variables']) ? array_unique(array_merge(array_keys($GLOBALS), array_keys(get_defined_vars()))) : $this->_options['forbidden_variables'];
array_map($_add_dollar_function, $_forbidden['variables']);
$_used_constructs = array_keys((array) $_analyzer->calledConstructs);
$_invalid['constructs'] = array_diff($_used_constructs, array_diff($_used_constructs, empty($this->_options['forbidden_constructs']) ? array('include', 'include_once', 'require', 'require_once') : $this->_options['forbidden_constructs']));
$_used_vars = array_keys((array) $_analyzer->usedVariables);
$_invalid['variables'] = array_diff($_used_vars, array_diff($_used_vars, array_merge($_forbidden['variables'], array_filter($_used_vars, $_is_private_var))));
$_used_functions = array_merge(array_keys((array) @$_analyzer->calledFunctions), array_keys((array) @$_analyzer->calledConstructs));
$_forbidden['functions'] = array_merge($this->getForbiddenFunctions(), $this->_getFuntionsAsVariables($_used_functions));
$_invalid['functions'] = array_diff($_used_functions, array_diff($_used_functions, $_forbidden['functions']));
$_invalid['classes'] = array_diff(array_keys((array) $_analyzer->calledStaticMethods), (array) @$this->_options['classes']);
$_class_calls = array_merge((array) $_analyzer->calledStaticMethods, (array) @$_analyzer->calledMethods);
foreach ($_class_calls as $_class_name => $_method_calls) {
foreach (array_keys($_method_calls) as $_method_call) {
if (empty($_method_call)) {
continue;
}
$_method_name = $_class_name . ($_class_name[0] == '$' ? '->' : '::') . $_method_call;
if ($_method_call[0] === '_' || in_array($_method_name, (array) @$this->_options['forbidden_methods'])) {
$_invalid['methods'][] = $_method_name;
}
}
}
foreach ($_protedted_types as $_type) {
if (!empty($_invalid[$_type])) {
$_invalid[$_type] = array_diff($_invalid[$_type], (array) @$this->_options[$_type]);
}
if (!empty($_invalid[$_type])) {
array_unique($_invalid[$_type]);
sort($_invalid[$_type]);
$_errors[] = Ak::t('You can\'t use the following %type within templates:', array('%type' => Ak::t($_type))) . ' ' . join(', ', $_invalid[$_type]);
}
}
if (!empty($_errors)) {
if (AK_DEBUG) {
echo '<h1>' . Ak::t('Template %template_file security error', array('%template_file' => $this->_options['file_path'])) . ':</h1>' . "<ul><li>" . join("</li>\n<li>", $_errors) . "</li></ul><hr />\n" . '<h2>' . Ak::t('Showing template source from %file:', array('%file' => $this->_options['file_path'])) . '</h2><pre>' . htmlentities(Ak::file_get_contents($this->_options['file_path'])) . '</pre><hr />' . '<h2>' . Ak::t('Showing compiled template source:') . '</h2>' . highlight_string($this->_options['code'], true);
//echo '<pre>'.print_r($_analyzer, true).'</pre>';
die;
} else {
trigger_error(Ak::t('Template compilation error'), E_USER_ERROR);
return false;
}
}
return true;
}
