aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/smarty/NEWS19
-rw-r--r--include/smarty/README2
-rw-r--r--include/smarty/libs/Config_File.class.php4
-rw-r--r--include/smarty/libs/Smarty.class.php33
-rw-r--r--include/smarty/libs/Smarty_Compiler.class.php90
-rw-r--r--include/smarty/libs/plugins/function.math.php3
6 files changed, 90 insertions, 61 deletions
diff --git a/include/smarty/NEWS b/include/smarty/NEWS
index 39c5f001b..cbab78f5a 100644
--- a/include/smarty/NEWS
+++ b/include/smarty/NEWS
@@ -1,3 +1,22 @@
+Version 2.6.26 (June 18th, 2009)
+-------------------------------
+- revert super global access changes, and instead rely on
+ USE_SUPER_GLOBALS for security
+
+Version 2.6.25 (May 19th, 2009)
+-------------------------------
+- fix E_NOTICE when sessions are disabled (mohrt)
+
+Version 2.6.24 (May 16th, 2009)
+-------------------------------
+- fix problem introduced with super global changes (mohrt)
+
+Version 2.6.23 (May 13th, 2009)
+-------------------------------
+- strip backticks from {math} equations (mohrt)
+- make PHP super globals read-only from template (mohrt)
+- throw error when template exists but not readable (mohrt)
+
Version 2.6.22 (Dec 17th, 2008)
-------------------------------
diff --git a/include/smarty/README b/include/smarty/README
index 13ff7609c..15992d09e 100644
--- a/include/smarty/README
+++ b/include/smarty/README
@@ -3,7 +3,7 @@ NAME:
Smarty - the PHP compiling template engine
-VERSION: 2.6.22
+VERSION: 2.6.26
AUTHORS:
diff --git a/include/smarty/libs/Config_File.class.php b/include/smarty/libs/Config_File.class.php
index 31b890750..5787ad15f 100644
--- a/include/smarty/libs/Config_File.class.php
+++ b/include/smarty/libs/Config_File.class.php
@@ -22,14 +22,14 @@
* smarty-discussion-subscribe@googlegroups.com
*
* @link http://www.smarty.net/
- * @version 2.6.22
+ * @version 2.6.26
* @copyright Copyright: 2001-2005 New Digital Group, Inc.
* @author Andrei Zmievski <andrei@php.net>
* @access public
* @package Smarty
*/
-/* $Id: Config_File.class.php 2786 2008-09-18 21:04:38Z Uwe.Tews $ */
+/* $Id: Config_File.class.php 3149 2009-05-23 20:59:25Z monte.ohrt $ */
/**
* Config file reading class
diff --git a/include/smarty/libs/Smarty.class.php b/include/smarty/libs/Smarty.class.php
index 8e56346f9..e7298f2ec 100644
--- a/include/smarty/libs/Smarty.class.php
+++ b/include/smarty/libs/Smarty.class.php
@@ -20,17 +20,17 @@
*
* For questions, help, comments, discussion, etc., please join the
* Smarty mailing list. Send a blank e-mail to
- * smarty-discussion-subscribe@googlegroups.com
+ * smarty-discussion-subscribe@googlegroups.com
*
* @link http://www.smarty.net/
* @copyright 2001-2005 New Digital Group, Inc.
* @author Monte Ohrt <monte at ohrt dot com>
* @author Andrei Zmievski <andrei@php.net>
* @package Smarty
- * @version 2.6.22
+ * @version 2.6.26
*/
-/* $Id: Smarty.class.php 2785 2008-09-18 21:04:12Z Uwe.Tews $ */
+/* $Id: Smarty.class.php 3163 2009-06-17 14:39:24Z monte.ohrt $ */
/**
* DIR_SEP isn't used anymore, but third party apps might
@@ -107,7 +107,7 @@ class Smarty
/**
* When set, smarty does uses this value as error_reporting-level.
*
- * @var boolean
+ * @var integer
*/
var $error_reporting = null;
@@ -236,7 +236,8 @@ class Smarty
'INCLUDE_ANY' => false,
'PHP_TAGS' => false,
'MODIFIER_FUNCS' => array('count'),
- 'ALLOW_CONSTANTS' => false
+ 'ALLOW_CONSTANTS' => false,
+ 'ALLOW_SUPER_GLOBALS' => true
);
/**
@@ -464,7 +465,7 @@ class Smarty
*
* @var string
*/
- var $_version = '2.6.22';
+ var $_version = '2.6.26';
/**
* current template inclusion depth
@@ -1057,7 +1058,7 @@ class Smarty
} else {
// var non-existant, return valid reference
$_tmp = null;
- return $_tmp;
+ return $_tmp;
}
}
@@ -1116,7 +1117,7 @@ class Smarty
function fetch($resource_name, $cache_id = null, $compile_id = null, $display = false)
{
static $_cache_info = array();
-
+
$_smarty_old_error_level = $this->debugging ? error_reporting() : error_reporting(isset($this->error_reporting)
? $this->error_reporting : error_reporting() & ~E_NOTICE);
@@ -1303,12 +1304,6 @@ class Smarty
error_reporting($_smarty_old_error_level);
return;
} else {
- if ($this->debugging) {
- // capture time for debugging info
- $_params = array();
- require_once(SMARTY_CORE_DIR . 'core.get_microtime.php');
- $this->_smarty_debug_info[$_included_tpls_idx]['exec_time'] = (smarty_core_get_microtime($_params, $this) - $_debug_start_time);
- }
error_reporting($_smarty_old_error_level);
if (isset($_smarty_results)) { return $_smarty_results; }
}
@@ -1554,7 +1549,7 @@ class Smarty
$params['source_content'] = $this->_read_file($_resource_name);
}
$params['resource_timestamp'] = filemtime($_resource_name);
- $_return = is_file($_resource_name);
+ $_return = is_file($_resource_name) && is_readable($_resource_name);
break;
default:
@@ -1717,7 +1712,7 @@ class Smarty
*/
function _read_file($filename)
{
- if ( file_exists($filename) && ($fd = @fopen($filename, 'rb')) ) {
+ if ( file_exists($filename) && is_readable($filename) && ($fd = @fopen($filename, 'rb')) ) {
$contents = '';
while (!feof($fd)) {
$contents .= fread($fd, 8192);
@@ -1938,10 +1933,10 @@ class Smarty
{
return eval($code);
}
-
+
/**
* Extracts the filter name from the given callback
- *
+ *
* @param callback $function
* @return string
*/
@@ -1956,7 +1951,7 @@ class Smarty
return $function;
}
}
-
+
/**#@-*/
}
diff --git a/include/smarty/libs/Smarty_Compiler.class.php b/include/smarty/libs/Smarty_Compiler.class.php
index 374ba3d04..1178b84d0 100644
--- a/include/smarty/libs/Smarty_Compiler.class.php
+++ b/include/smarty/libs/Smarty_Compiler.class.php
@@ -18,15 +18,15 @@
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
- * @link http://www.smarty.net/
+ * @link http://smarty.php.net/
* @author Monte Ohrt <monte at ohrt dot com>
* @author Andrei Zmievski <andrei@php.net>
- * @version 2.6.22
+ * @version 2.6.26
* @copyright 2001-2005 New Digital Group, Inc.
* @package Smarty
*/
-/* $Id: Smarty_Compiler.class.php 2966 2008-12-08 15:10:03Z monte.ohrt $ */
+/* $Id: Smarty_Compiler.class.php 3163 2009-06-17 14:39:24Z monte.ohrt $ */
/**
* Template compiling class
@@ -73,9 +73,6 @@ class Smarty_Compiler extends Smarty {
var $_strip_depth = 0;
var $_additional_newline = "\n";
-
- var $_phpversion = 0;
-
/**#@-*/
/**
@@ -83,8 +80,6 @@ class Smarty_Compiler extends Smarty {
*/
function Smarty_Compiler()
{
- $this->_phpversion = substr(phpversion(),0,1);
-
// matches double quoted strings:
// "foobar"
// "foo\"bar"
@@ -157,20 +152,16 @@ class Smarty_Compiler extends Smarty {
// $foo->bar($foo->bar)
// $foo->bar($foo->bar())
// $foo->bar($foo->bar($blah,$foo,44,"foo",$foo[0].bar))
- // $foo->getBar()->getFoo()
- // $foo->getBar()->foo
$this->_obj_ext_regexp = '\->(?:\$?' . $this->_dvar_guts_regexp . ')';
$this->_obj_restricted_param_regexp = '(?:'
- . '(?:' . $this->_var_regexp . '|' . $this->_num_const_regexp . ')(?:' . $this->_obj_ext_regexp . '(?:\((?:(?:' . $this->_var_regexp . '|' . $this->_num_const_regexp . ')'
- . '(?:\s*,\s*(?:' . $this->_var_regexp . '|' . $this->_num_const_regexp . '))*)?\))?)*)';
-
- $this->_obj_single_param_regexp = '(?:\w+|' . $this->_obj_restricted_param_regexp . '(?:\s*,\s*(?:(?:\w+|'
+ . '(?:' . $this->_var_regexp . '|' . $this->_num_const_regexp . ')(?:' . $this->_obj_ext_regexp . '(?:\((?:(?:' . $this->_var_regexp . '|' . $this->_num_const_regexp . ')'
+ . '(?:\s*,\s*(?:' . $this->_var_regexp . '|' . $this->_num_const_regexp . '))*)?\))?)*)';
+ $this->_obj_single_param_regexp = '(?:\w+|' . $this->_obj_restricted_param_regexp . '(?:\s*,\s*(?:(?:\w+|'
. $this->_var_regexp . $this->_obj_restricted_param_regexp . ')))*)';
-
- $this->_obj_params_regexp = '\((?:' . $this->_obj_single_param_regexp
+ $this->_obj_params_regexp = '\((?:' . $this->_obj_single_param_regexp
. '(?:\s*,\s*' . $this->_obj_single_param_regexp . ')*)?\)';
- $this->_obj_start_regexp = '(?:' . $this->_dvar_regexp . '(?:' . $this->_obj_ext_regexp . ')+)';
- $this->_obj_call_regexp = '(?:' . $this->_obj_start_regexp . '(?:' . $this->_obj_params_regexp . ')?(?:' . $this->_dvar_math_regexp . '(?:' . $this->_num_const_regexp . '|' . $this->_dvar_math_var_regexp . ')*)?)';
+ $this->_obj_start_regexp = '(?:' . $this->_dvar_regexp . '(?:' . $this->_obj_ext_regexp . ')+)';
+ $this->_obj_call_regexp = '(?:' . $this->_obj_start_regexp . '(?:' . $this->_obj_params_regexp . ')?(?:' . $this->_dvar_math_regexp . '(?:' . $this->_num_const_regexp . '|' . $this->_dvar_math_var_regexp . ')*)?)';
// matches valid modifier syntax:
// |foo
@@ -1705,8 +1696,6 @@ class Smarty_Compiler extends Smarty {
}
// replace double quoted literal string with single quotes
$_return = preg_replace('~^"([\s\w]+)"$~',"'\\1'",$_return);
- // escape dollar sign if not printing a var
- $_return = preg_replace('~\$(\W)~',"\\\\\$\\1",$_return);
return $_return;
}
@@ -1720,7 +1709,6 @@ class Smarty_Compiler extends Smarty {
function _parse_var($var_expr)
{
$_has_math = false;
- $_has_php4_method_chaining = false;
$_math_vars = preg_split('~('.$this->_dvar_math_regexp.'|'.$this->_qstr_regexp.')~', $var_expr, -1, PREG_SPLIT_DELIM_CAPTURE);
if(count($_math_vars) > 1) {
@@ -1833,10 +1821,6 @@ class Smarty_Compiler extends Smarty {
$_output .= '->{(($_var=$this->_tpl_vars[\''.substr($_index,3).'\']) && substr($_var,0,2)!=\'__\') ? $_var : $this->trigger_error("cannot access property \\"$_var\\"")}';
}
} else {
- if ($this->_phpversion < 5) {
- $_has_php4_method_chaining = true;
- $_output .= "; \$_foo = \$_foo";
- }
$_output .= $_index;
}
} elseif (substr($_index, 0, 1) == '(') {
@@ -1848,12 +1832,7 @@ class Smarty_Compiler extends Smarty {
}
}
- if ($_has_php4_method_chaining) {
- $_tmp = str_replace("'","\'",'$_foo = '.$_output.'; return $_foo;');
- return "eval('".$_tmp."')";
- } else {
- return $_output;
- }
+ return $_output;
}
/**
@@ -2068,27 +2047,57 @@ class Smarty_Compiler extends Smarty {
break;
case 'get':
- $compiled_ref = ($this->request_use_auto_globals) ? '$_GET' : "\$GLOBALS['HTTP_GET_VARS']";
+ if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) {
+ $this->_syntax_error("(secure mode) super global access not permitted",
+ E_USER_WARNING, __FILE__, __LINE__);
+ return;
+ }
+ $compiled_ref = "\$_GET";
break;
case 'post':
- $compiled_ref = ($this->request_use_auto_globals) ? '$_POST' : "\$GLOBALS['HTTP_POST_VARS']";
+ if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) {
+ $this->_syntax_error("(secure mode) super global access not permitted",
+ E_USER_WARNING, __FILE__, __LINE__);
+ return;
+ }
+ $compiled_ref = "\$_POST";
break;
case 'cookies':
- $compiled_ref = ($this->request_use_auto_globals) ? '$_COOKIE' : "\$GLOBALS['HTTP_COOKIE_VARS']";
+ if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) {
+ $this->_syntax_error("(secure mode) super global access not permitted",
+ E_USER_WARNING, __FILE__, __LINE__);
+ return;
+ }
+ $compiled_ref = "\$_COOKIE";
break;
case 'env':
- $compiled_ref = ($this->request_use_auto_globals) ? '$_ENV' : "\$GLOBALS['HTTP_ENV_VARS']";
+ if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) {
+ $this->_syntax_error("(secure mode) super global access not permitted",
+ E_USER_WARNING, __FILE__, __LINE__);
+ return;
+ }
+ $compiled_ref = "\$_ENV";
break;
case 'server':
- $compiled_ref = ($this->request_use_auto_globals) ? '$_SERVER' : "\$GLOBALS['HTTP_SERVER_VARS']";
+ if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) {
+ $this->_syntax_error("(secure mode) super global access not permitted",
+ E_USER_WARNING, __FILE__, __LINE__);
+ return;
+ }
+ $compiled_ref = "\$_SERVER";
break;
case 'session':
- $compiled_ref = ($this->request_use_auto_globals) ? '$_SESSION' : "\$GLOBALS['HTTP_SESSION_VARS']";
+ if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) {
+ $this->_syntax_error("(secure mode) super global access not permitted",
+ E_USER_WARNING, __FILE__, __LINE__);
+ return;
+ }
+ $compiled_ref = "\$_SESSION";
break;
/*
@@ -2096,8 +2105,13 @@ class Smarty_Compiler extends Smarty {
* compiler.
*/
case 'request':
+ if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) {
+ $this->_syntax_error("(secure mode) super global access not permitted",
+ E_USER_WARNING, __FILE__, __LINE__);
+ return;
+ }
if ($this->request_use_auto_globals) {
- $compiled_ref = '$_REQUEST';
+ $compiled_ref = "\$_REQUEST";
break;
} else {
$this->_init_smarty_vars = true;
diff --git a/include/smarty/libs/plugins/function.math.php b/include/smarty/libs/plugins/function.math.php
index 71672fea4..bb78dac22 100644
--- a/include/smarty/libs/plugins/function.math.php
+++ b/include/smarty/libs/plugins/function.math.php
@@ -27,7 +27,8 @@ function smarty_function_math($params, &$smarty)
return;
}
- $equation = $params['equation'];
+ // strip out backticks, not necessary for math
+ $equation = str_replace('`','',$params['equation']);
// make sure parenthesis are balanced
if (substr_count($equation,"(") != substr_count($equation,")")) {