diff options
-rw-r--r-- | include/smarty/NEWS | 19 | ||||
-rw-r--r-- | include/smarty/README | 2 | ||||
-rw-r--r-- | include/smarty/libs/Config_File.class.php | 4 | ||||
-rw-r--r-- | include/smarty/libs/Smarty.class.php | 33 | ||||
-rw-r--r-- | include/smarty/libs/Smarty_Compiler.class.php | 90 | ||||
-rw-r--r-- | include/smarty/libs/plugins/function.math.php | 3 |
6 files changed, 90 insertions, 61 deletions
diff --git a/include/smarty/NEWS b/include/smarty/NEWS index 39c5f001b..cbab78f5a 100644 --- a/include/smarty/NEWS +++ b/include/smarty/NEWS @@ -1,3 +1,22 @@ +Version 2.6.26 (June 18th, 2009) +------------------------------- +- revert super global access changes, and instead rely on + USE_SUPER_GLOBALS for security + +Version 2.6.25 (May 19th, 2009) +------------------------------- +- fix E_NOTICE when sessions are disabled (mohrt) + +Version 2.6.24 (May 16th, 2009) +------------------------------- +- fix problem introduced with super global changes (mohrt) + +Version 2.6.23 (May 13th, 2009) +------------------------------- +- strip backticks from {math} equations (mohrt) +- make PHP super globals read-only from template (mohrt) +- throw error when template exists but not readable (mohrt) + Version 2.6.22 (Dec 17th, 2008) ------------------------------- diff --git a/include/smarty/README b/include/smarty/README index 13ff7609c..15992d09e 100644 --- a/include/smarty/README +++ b/include/smarty/README @@ -3,7 +3,7 @@ NAME: Smarty - the PHP compiling template engine -VERSION: 2.6.22 +VERSION: 2.6.26 AUTHORS: diff --git a/include/smarty/libs/Config_File.class.php b/include/smarty/libs/Config_File.class.php index 31b890750..5787ad15f 100644 --- a/include/smarty/libs/Config_File.class.php +++ b/include/smarty/libs/Config_File.class.php @@ -22,14 +22,14 @@ * smarty-discussion-subscribe@googlegroups.com * * @link http://www.smarty.net/ - * @version 2.6.22 + * @version 2.6.26 * @copyright Copyright: 2001-2005 New Digital Group, Inc. * @author Andrei Zmievski <andrei@php.net> * @access public * @package Smarty */ -/* $Id: Config_File.class.php 2786 2008-09-18 21:04:38Z Uwe.Tews $ */ +/* $Id: Config_File.class.php 3149 2009-05-23 20:59:25Z monte.ohrt $ */ /** * Config file reading class diff --git a/include/smarty/libs/Smarty.class.php b/include/smarty/libs/Smarty.class.php index 8e56346f9..e7298f2ec 100644 --- a/include/smarty/libs/Smarty.class.php +++ b/include/smarty/libs/Smarty.class.php @@ -20,17 +20,17 @@ * * For questions, help, comments, discussion, etc., please join the * Smarty mailing list. Send a blank e-mail to - * smarty-discussion-subscribe@googlegroups.com + * smarty-discussion-subscribe@googlegroups.com * * @link http://www.smarty.net/ * @copyright 2001-2005 New Digital Group, Inc. * @author Monte Ohrt <monte at ohrt dot com> * @author Andrei Zmievski <andrei@php.net> * @package Smarty - * @version 2.6.22 + * @version 2.6.26 */ -/* $Id: Smarty.class.php 2785 2008-09-18 21:04:12Z Uwe.Tews $ */ +/* $Id: Smarty.class.php 3163 2009-06-17 14:39:24Z monte.ohrt $ */ /** * DIR_SEP isn't used anymore, but third party apps might @@ -107,7 +107,7 @@ class Smarty /** * When set, smarty does uses this value as error_reporting-level. * - * @var boolean + * @var integer */ var $error_reporting = null; @@ -236,7 +236,8 @@ class Smarty 'INCLUDE_ANY' => false, 'PHP_TAGS' => false, 'MODIFIER_FUNCS' => array('count'), - 'ALLOW_CONSTANTS' => false + 'ALLOW_CONSTANTS' => false, + 'ALLOW_SUPER_GLOBALS' => true ); /** @@ -464,7 +465,7 @@ class Smarty * * @var string */ - var $_version = '2.6.22'; + var $_version = '2.6.26'; /** * current template inclusion depth @@ -1057,7 +1058,7 @@ class Smarty } else { // var non-existant, return valid reference $_tmp = null; - return $_tmp; + return $_tmp; } } @@ -1116,7 +1117,7 @@ class Smarty function fetch($resource_name, $cache_id = null, $compile_id = null, $display = false) { static $_cache_info = array(); - + $_smarty_old_error_level = $this->debugging ? error_reporting() : error_reporting(isset($this->error_reporting) ? $this->error_reporting : error_reporting() & ~E_NOTICE); @@ -1303,12 +1304,6 @@ class Smarty error_reporting($_smarty_old_error_level); return; } else { - if ($this->debugging) { - // capture time for debugging info - $_params = array(); - require_once(SMARTY_CORE_DIR . 'core.get_microtime.php'); - $this->_smarty_debug_info[$_included_tpls_idx]['exec_time'] = (smarty_core_get_microtime($_params, $this) - $_debug_start_time); - } error_reporting($_smarty_old_error_level); if (isset($_smarty_results)) { return $_smarty_results; } } @@ -1554,7 +1549,7 @@ class Smarty $params['source_content'] = $this->_read_file($_resource_name); } $params['resource_timestamp'] = filemtime($_resource_name); - $_return = is_file($_resource_name); + $_return = is_file($_resource_name) && is_readable($_resource_name); break; default: @@ -1717,7 +1712,7 @@ class Smarty */ function _read_file($filename) { - if ( file_exists($filename) && ($fd = @fopen($filename, 'rb')) ) { + if ( file_exists($filename) && is_readable($filename) && ($fd = @fopen($filename, 'rb')) ) { $contents = ''; while (!feof($fd)) { $contents .= fread($fd, 8192); @@ -1938,10 +1933,10 @@ class Smarty { return eval($code); } - + /** * Extracts the filter name from the given callback - * + * * @param callback $function * @return string */ @@ -1956,7 +1951,7 @@ class Smarty return $function; } } - + /**#@-*/ } diff --git a/include/smarty/libs/Smarty_Compiler.class.php b/include/smarty/libs/Smarty_Compiler.class.php index 374ba3d04..1178b84d0 100644 --- a/include/smarty/libs/Smarty_Compiler.class.php +++ b/include/smarty/libs/Smarty_Compiler.class.php @@ -18,15 +18,15 @@ * License along with this library; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * - * @link http://www.smarty.net/ + * @link http://smarty.php.net/ * @author Monte Ohrt <monte at ohrt dot com> * @author Andrei Zmievski <andrei@php.net> - * @version 2.6.22 + * @version 2.6.26 * @copyright 2001-2005 New Digital Group, Inc. * @package Smarty */ -/* $Id: Smarty_Compiler.class.php 2966 2008-12-08 15:10:03Z monte.ohrt $ */ +/* $Id: Smarty_Compiler.class.php 3163 2009-06-17 14:39:24Z monte.ohrt $ */ /** * Template compiling class @@ -73,9 +73,6 @@ class Smarty_Compiler extends Smarty { var $_strip_depth = 0; var $_additional_newline = "\n"; - - var $_phpversion = 0; - /**#@-*/ /** @@ -83,8 +80,6 @@ class Smarty_Compiler extends Smarty { */ function Smarty_Compiler() { - $this->_phpversion = substr(phpversion(),0,1); - // matches double quoted strings: // "foobar" // "foo\"bar" @@ -157,20 +152,16 @@ class Smarty_Compiler extends Smarty { // $foo->bar($foo->bar) // $foo->bar($foo->bar()) // $foo->bar($foo->bar($blah,$foo,44,"foo",$foo[0].bar)) - // $foo->getBar()->getFoo() - // $foo->getBar()->foo $this->_obj_ext_regexp = '\->(?:\$?' . $this->_dvar_guts_regexp . ')'; $this->_obj_restricted_param_regexp = '(?:' - . '(?:' . $this->_var_regexp . '|' . $this->_num_const_regexp . ')(?:' . $this->_obj_ext_regexp . '(?:\((?:(?:' . $this->_var_regexp . '|' . $this->_num_const_regexp . ')' - . '(?:\s*,\s*(?:' . $this->_var_regexp . '|' . $this->_num_const_regexp . '))*)?\))?)*)'; - - $this->_obj_single_param_regexp = '(?:\w+|' . $this->_obj_restricted_param_regexp . '(?:\s*,\s*(?:(?:\w+|' + . '(?:' . $this->_var_regexp . '|' . $this->_num_const_regexp . ')(?:' . $this->_obj_ext_regexp . '(?:\((?:(?:' . $this->_var_regexp . '|' . $this->_num_const_regexp . ')' + . '(?:\s*,\s*(?:' . $this->_var_regexp . '|' . $this->_num_const_regexp . '))*)?\))?)*)'; + $this->_obj_single_param_regexp = '(?:\w+|' . $this->_obj_restricted_param_regexp . '(?:\s*,\s*(?:(?:\w+|' . $this->_var_regexp . $this->_obj_restricted_param_regexp . ')))*)'; - - $this->_obj_params_regexp = '\((?:' . $this->_obj_single_param_regexp + $this->_obj_params_regexp = '\((?:' . $this->_obj_single_param_regexp . '(?:\s*,\s*' . $this->_obj_single_param_regexp . ')*)?\)'; - $this->_obj_start_regexp = '(?:' . $this->_dvar_regexp . '(?:' . $this->_obj_ext_regexp . ')+)'; - $this->_obj_call_regexp = '(?:' . $this->_obj_start_regexp . '(?:' . $this->_obj_params_regexp . ')?(?:' . $this->_dvar_math_regexp . '(?:' . $this->_num_const_regexp . '|' . $this->_dvar_math_var_regexp . ')*)?)'; + $this->_obj_start_regexp = '(?:' . $this->_dvar_regexp . '(?:' . $this->_obj_ext_regexp . ')+)'; + $this->_obj_call_regexp = '(?:' . $this->_obj_start_regexp . '(?:' . $this->_obj_params_regexp . ')?(?:' . $this->_dvar_math_regexp . '(?:' . $this->_num_const_regexp . '|' . $this->_dvar_math_var_regexp . ')*)?)'; // matches valid modifier syntax: // |foo @@ -1705,8 +1696,6 @@ class Smarty_Compiler extends Smarty { } // replace double quoted literal string with single quotes $_return = preg_replace('~^"([\s\w]+)"$~',"'\\1'",$_return); - // escape dollar sign if not printing a var - $_return = preg_replace('~\$(\W)~',"\\\\\$\\1",$_return); return $_return; } @@ -1720,7 +1709,6 @@ class Smarty_Compiler extends Smarty { function _parse_var($var_expr) { $_has_math = false; - $_has_php4_method_chaining = false; $_math_vars = preg_split('~('.$this->_dvar_math_regexp.'|'.$this->_qstr_regexp.')~', $var_expr, -1, PREG_SPLIT_DELIM_CAPTURE); if(count($_math_vars) > 1) { @@ -1833,10 +1821,6 @@ class Smarty_Compiler extends Smarty { $_output .= '->{(($_var=$this->_tpl_vars[\''.substr($_index,3).'\']) && substr($_var,0,2)!=\'__\') ? $_var : $this->trigger_error("cannot access property \\"$_var\\"")}'; } } else { - if ($this->_phpversion < 5) { - $_has_php4_method_chaining = true; - $_output .= "; \$_foo = \$_foo"; - } $_output .= $_index; } } elseif (substr($_index, 0, 1) == '(') { @@ -1848,12 +1832,7 @@ class Smarty_Compiler extends Smarty { } } - if ($_has_php4_method_chaining) { - $_tmp = str_replace("'","\'",'$_foo = '.$_output.'; return $_foo;'); - return "eval('".$_tmp."')"; - } else { - return $_output; - } + return $_output; } /** @@ -2068,27 +2047,57 @@ class Smarty_Compiler extends Smarty { break; case 'get': - $compiled_ref = ($this->request_use_auto_globals) ? '$_GET' : "\$GLOBALS['HTTP_GET_VARS']"; + if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) { + $this->_syntax_error("(secure mode) super global access not permitted", + E_USER_WARNING, __FILE__, __LINE__); + return; + } + $compiled_ref = "\$_GET"; break; case 'post': - $compiled_ref = ($this->request_use_auto_globals) ? '$_POST' : "\$GLOBALS['HTTP_POST_VARS']"; + if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) { + $this->_syntax_error("(secure mode) super global access not permitted", + E_USER_WARNING, __FILE__, __LINE__); + return; + } + $compiled_ref = "\$_POST"; break; case 'cookies': - $compiled_ref = ($this->request_use_auto_globals) ? '$_COOKIE' : "\$GLOBALS['HTTP_COOKIE_VARS']"; + if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) { + $this->_syntax_error("(secure mode) super global access not permitted", + E_USER_WARNING, __FILE__, __LINE__); + return; + } + $compiled_ref = "\$_COOKIE"; break; case 'env': - $compiled_ref = ($this->request_use_auto_globals) ? '$_ENV' : "\$GLOBALS['HTTP_ENV_VARS']"; + if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) { + $this->_syntax_error("(secure mode) super global access not permitted", + E_USER_WARNING, __FILE__, __LINE__); + return; + } + $compiled_ref = "\$_ENV"; break; case 'server': - $compiled_ref = ($this->request_use_auto_globals) ? '$_SERVER' : "\$GLOBALS['HTTP_SERVER_VARS']"; + if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) { + $this->_syntax_error("(secure mode) super global access not permitted", + E_USER_WARNING, __FILE__, __LINE__); + return; + } + $compiled_ref = "\$_SERVER"; break; case 'session': - $compiled_ref = ($this->request_use_auto_globals) ? '$_SESSION' : "\$GLOBALS['HTTP_SESSION_VARS']"; + if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) { + $this->_syntax_error("(secure mode) super global access not permitted", + E_USER_WARNING, __FILE__, __LINE__); + return; + } + $compiled_ref = "\$_SESSION"; break; /* @@ -2096,8 +2105,13 @@ class Smarty_Compiler extends Smarty { * compiler. */ case 'request': + if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) { + $this->_syntax_error("(secure mode) super global access not permitted", + E_USER_WARNING, __FILE__, __LINE__); + return; + } if ($this->request_use_auto_globals) { - $compiled_ref = '$_REQUEST'; + $compiled_ref = "\$_REQUEST"; break; } else { $this->_init_smarty_vars = true; diff --git a/include/smarty/libs/plugins/function.math.php b/include/smarty/libs/plugins/function.math.php index 71672fea4..bb78dac22 100644 --- a/include/smarty/libs/plugins/function.math.php +++ b/include/smarty/libs/plugins/function.math.php @@ -27,7 +27,8 @@ function smarty_function_math($params, &$smarty) return; } - $equation = $params['equation']; + // strip out backticks, not necessary for math + $equation = str_replace('`','',$params['equation']); // make sure parenthesis are balanced if (substr_count($equation,"(") != substr_count($equation,")")) { |