109 'in_array',
'is_array',
232 $this->smarty = $smarty;
246 if (isset($this->php_functions) && (empty($this->php_functions) || in_array($function_name, $this->php_functions))) {
250 $compiler->trigger_template_error(
"PHP function '{$function_name}' not allowed by security setting");
266 if (isset($this->static_classes) && (empty($this->static_classes) || in_array($class_name, $this->static_classes))) {
270 $compiler->trigger_template_error(
"access to static class '{$class_name}' not allowed by security setting");
287 if (!isset($params[2])) {
291 if ($params[2] ==
'method') {
293 $name = substr($params[0], 0, strpos($params[0],
'('));
297 $name = substr($params[0], 1);
299 if (isset($allowed)) {
300 if (empty($allowed)) {
304 if (isset($allowed[$class_name])
305 && (empty($allowed[$class_name])
306 || in_array($name, $allowed[$class_name]))
311 $compiler->trigger_template_error(
"access to static class '{$class_name}' {$params[2]} '{$name}' not allowed by security setting");
326 if (isset($this->php_modifiers) && (empty($this->php_modifiers) || in_array($modifier_name, $this->php_modifiers))) {
330 $compiler->trigger_template_error(
"modifier '{$modifier_name}' not allowed by security setting");
347 if (in_array($tag_name, array(
'assign',
'call',
'private_filter',
'private_block_plugin',
'private_function_plugin',
'private_object_block_function',
348 'private_object_function',
'private_registered_function',
'private_registered_block',
'private_special_variable',
'private_print_expression',
'private_modifier'))
353 if (empty($this->allowed_tags)) {
354 if (empty($this->disabled_tags) || !in_array($tag_name, $this->disabled_tags)) {
357 $compiler->trigger_template_error(
"tag '{$tag_name}' disabled by security setting", $compiler->lex->taglineno);
359 } elseif (in_array($tag_name, $this->allowed_tags) && !in_array($tag_name, $this->disabled_tags)) {
362 $compiler->trigger_template_error(
"tag '{$tag_name}' not allowed by security setting", $compiler->lex->taglineno);
379 if (!in_array($var_name, $this->disabled_special_smarty_vars)) {
382 $compiler->trigger_template_error(
"special variable '\$smarty.{$var_name}' not allowed by security setting", $compiler->lex->taglineno);
400 if (in_array($modifier_name, array(
'default'))) {
404 if (empty($this->allowed_modifiers)) {
405 if (empty($this->disabled_modifiers) || !in_array($modifier_name, $this->disabled_modifiers)) {
408 $compiler->trigger_template_error(
"modifier '{$modifier_name}' disabled by security setting", $compiler->lex->taglineno);
410 } elseif (in_array($modifier_name, $this->allowed_modifiers) && !in_array($modifier_name, $this->disabled_modifiers)) {
413 $compiler->trigger_template_error(
"modifier '{$modifier_name}' not allowed by security setting", $compiler->lex->taglineno);
429 if (in_array($const, array(
'true',
'false',
'null'))) {
432 if (!empty($this->trusted_constants)) {
433 if (!in_array($const, $this->trusted_constants)) {
434 $compiler->trigger_template_error(
"Security: access to constant '{$const}' not permitted");
439 if ($this->allow_constants) {
442 $compiler->trigger_template_error(
"Security: access to constants not permitted");
456 if (isset($this->streams) && (empty($this->streams) || in_array($stream_name, $this->streams))) {
460 throw new SmartyException(
"stream '{$stream_name}' not allowed by security setting");
481 if ((!$this->_template_dir || $this->_template_dir !==
$_template_dir)
482 || (!$this->_config_dir || $this->_config_dir !==
$_config_dir)
483 || (!empty($this->secure_dir) && (!$this->_secure_dir || $this->_secure_dir !== $this->secure_dir))
485 $this->_resource_dir = array();
488 $_secure = !empty($this->secure_dir);
495 $directory = realpath($directory);
496 $this->_resource_dir[$directory] =
true;
504 $directory = realpath($directory);
505 $this->_resource_dir[$directory] =
true;
512 foreach ((array) $this->secure_dir as $directory) {
513 $directory = realpath($directory);
514 $this->_resource_dir[$directory] =
true;
518 $_filepath = realpath($filepath);
519 $directory = dirname($_filepath);
520 $_directory = array();
523 $_directory[$directory] =
true;
525 if (isset($this->_resource_dir[$directory])) {
527 $this->_resource_dir = array_merge($this->_resource_dir, $_directory);
532 if (($pos = strrpos($directory, DS)) ===
false || !isset($directory[1])) {
536 $directory = substr($directory, 0, $pos);
540 throw new SmartyException(
"directory '{$_filepath}' not allowed by security setting");
557 $_uri = parse_url($uri);
558 if (!empty($_uri[
'scheme']) && !empty($_uri[
'host'])) {
559 $_uri = $_uri[
'scheme'] .
'://' . $_uri[
'host'];
560 foreach ($this->trusted_uri as $pattern) {
561 if (preg_match($pattern, $_uri)) {
567 throw new SmartyException(
"URI '{$uri}' not allowed by security setting");
580 if (empty($this->trusted_dir)) {
581 throw new SmartyException(
"directory '{$filepath}' not allowed by security setting (no trusted_dir specified)");
585 if (!$this->_trusted_dir || $this->_trusted_dir !== $this->trusted_dir) {
586 $this->_php_resource_dir = array();
589 foreach ((array) $this->trusted_dir as $directory) {
590 $directory = realpath($directory);
591 $this->_php_resource_dir[$directory] =
true;
595 $_filepath = realpath($filepath);
596 $directory = dirname($_filepath);
597 $_directory = array();
600 $_directory[] = $directory;
602 if (isset($this->_php_resource_dir[$directory])) {
604 $this->_php_resource_dir = array_merge($this->_php_resource_dir, $_directory);
609 if (($pos = strrpos($directory, DS)) ===
false || !isset($directory[2])) {
613 $directory = substr($directory, 0, $pos);
616 throw new SmartyException(
"directory '{$_filepath}' not allowed by security setting");
628 if ($this->max_template_nesting > 0 && $this->_current_template_nesting ++ >= $this->max_template_nesting) {
629 throw new SmartyException(
"maximum template nesting level of '{$this->max_template_nesting}' exceeded when calling '{$template->template_resource}'");
640 if ($this->max_template_nesting > 0) {
641 $this->_current_template_nesting --;