smarty_security.php 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427
  1. <?php
  2. /**
  3. * Smarty plugin
  4. *
  5. * @package Smarty
  6. * @subpackage Security
  7. * @author Uwe Tews
  8. */
  9. /*
  10. * FIXME: Smarty_Security API
  11. * - getter and setter instead of public properties would allow cultivating an internal cache properly
  12. * - current implementation of isTrustedResourceDir() assumes that Smarty::$template_dir and Smarty::$config_dir are immutable
  13. * the cache is killed every time either of the variables change. That means that two distinct Smarty objects with differing
  14. * $template_dir or $config_dir should NOT share the same Smarty_Security instance,
  15. * as this would lead to (severe) performance penalty! how should this be handled?
  16. */
  17. /**
  18. * This class does contain the security settings
  19. */
  20. class Smarty_Security {
  21. /**
  22. * This determines how Smarty handles "<?php ... ?>" tags in templates.
  23. * possible values:
  24. * <ul>
  25. * <li>Smarty::PHP_PASSTHRU -> echo PHP tags as they are</li>
  26. * <li>Smarty::PHP_QUOTE -> escape tags as entities</li>
  27. * <li>Smarty::PHP_REMOVE -> remove php tags</li>
  28. * <li>Smarty::PHP_ALLOW -> execute php tags</li>
  29. * </ul>
  30. *
  31. * @var integer
  32. */
  33. public $php_handling = Smarty::PHP_PASSTHRU;
  34. /**
  35. * This is the list of template directories that are considered secure.
  36. * $template_dir is in this list implicitly.
  37. *
  38. * @var array
  39. */
  40. public $secure_dir = array();
  41. /**
  42. * This is an array of directories where trusted php scripts reside.
  43. * {@link $security} is disabled during their inclusion/execution.
  44. *
  45. * @var array
  46. */
  47. public $trusted_dir = array();
  48. /**
  49. * This is an array of trusted static classes.
  50. *
  51. * If empty access to all static classes is allowed.
  52. * If set to 'none' none is allowed.
  53. * @var array
  54. */
  55. public $static_classes = array();
  56. /**
  57. * This is an array of trusted PHP functions.
  58. *
  59. * If empty all functions are allowed.
  60. * To disable all PHP functions set $php_functions = null.
  61. * @var array
  62. */
  63. public $php_functions = array(
  64. 'isset', 'empty',
  65. 'count', 'sizeof',
  66. 'in_array', 'is_array',
  67. 'time',
  68. 'nl2br',
  69. );
  70. /**
  71. * This is an array of trusted PHP modifers.
  72. *
  73. * If empty all modifiers are allowed.
  74. * To disable all modifier set $modifiers = null.
  75. * @var array
  76. */
  77. public $php_modifiers = array(
  78. 'escape',
  79. 'count'
  80. );
  81. /**
  82. * This is an array of allowed tags.
  83. *
  84. * If empty no restriction by allowed_tags.
  85. * @var array
  86. */
  87. public $allowed_tags = array();
  88. /**
  89. * This is an array of disabled tags.
  90. *
  91. * If empty no restriction by disabled_tags.
  92. * @var array
  93. */
  94. public $disabled_tags = array();
  95. /**
  96. * This is an array of allowed modifier plugins.
  97. *
  98. * If empty no restriction by allowed_modifiers.
  99. * @var array
  100. */
  101. public $allowed_modifiers = array();
  102. /**
  103. * This is an array of disabled modifier plugins.
  104. *
  105. * If empty no restriction by disabled_modifiers.
  106. * @var array
  107. */
  108. public $disabled_modifiers = array();
  109. /**
  110. * This is an array of trusted streams.
  111. *
  112. * If empty all streams are allowed.
  113. * To disable all streams set $streams = null.
  114. * @var array
  115. */
  116. public $streams = array('file');
  117. /**
  118. * + flag if constants can be accessed from template
  119. * @var boolean
  120. */
  121. public $allow_constants = true;
  122. /**
  123. * + flag if super globals can be accessed from template
  124. * @var boolean
  125. */
  126. public $allow_super_globals = true;
  127. /**
  128. * Cache for $resource_dir lookups
  129. * @var array
  130. */
  131. protected $_resource_dir = null;
  132. /**
  133. * Cache for $template_dir lookups
  134. * @var array
  135. */
  136. protected $_template_dir = null;
  137. /**
  138. * Cache for $config_dir lookups
  139. * @var array
  140. */
  141. protected $_config_dir = null;
  142. /**
  143. * Cache for $secure_dir lookups
  144. * @var array
  145. */
  146. protected $_secure_dir = null;
  147. /**
  148. * Cache for $php_resource_dir lookups
  149. * @var array
  150. */
  151. protected $_php_resource_dir = null;
  152. /**
  153. * Cache for $trusted_dir lookups
  154. * @var array
  155. */
  156. protected $_trusted_dir = null;
  157. /**
  158. * @param Smarty $smarty
  159. */
  160. public function __construct($smarty)
  161. {
  162. $this->smarty = $smarty;
  163. }
  164. /**
  165. * Check if PHP function is trusted.
  166. *
  167. * @param string $function_name
  168. * @param object $compiler compiler object
  169. * @return boolean true if function is trusted
  170. * @throws SmartyCompilerException if php function is not trusted
  171. */
  172. public function isTrustedPhpFunction($function_name, $compiler)
  173. {
  174. if (isset($this->php_functions) && (empty($this->php_functions) || in_array($function_name, $this->php_functions))) {
  175. return true;
  176. }
  177. $compiler->trigger_template_error("PHP function '{$function_name}' not allowed by security setting");
  178. return false; // should not, but who knows what happens to the compiler in the future?
  179. }
  180. /**
  181. * Check if static class is trusted.
  182. *
  183. * @param string $class_name
  184. * @param object $compiler compiler object
  185. * @return boolean true if class is trusted
  186. * @throws SmartyCompilerException if static class is not trusted
  187. */
  188. public function isTrustedStaticClass($class_name, $compiler)
  189. {
  190. if (isset($this->static_classes) && (empty($this->static_classes) || in_array($class_name, $this->static_classes))) {
  191. return true;
  192. }
  193. $compiler->trigger_template_error("access to static class '{$class_name}' not allowed by security setting");
  194. return false; // should not, but who knows what happens to the compiler in the future?
  195. }
  196. /**
  197. * Check if PHP modifier is trusted.
  198. *
  199. * @param string $modifier_name
  200. * @param object $compiler compiler object
  201. * @return boolean true if modifier is trusted
  202. * @throws SmartyCompilerException if modifier is not trusted
  203. */
  204. public function isTrustedPhpModifier($modifier_name, $compiler)
  205. {
  206. if (isset($this->php_modifiers) && (empty($this->php_modifiers) || in_array($modifier_name, $this->php_modifiers))) {
  207. return true;
  208. }
  209. $compiler->trigger_template_error("modifier '{$modifier_name}' not allowed by security setting");
  210. return false; // should not, but who knows what happens to the compiler in the future?
  211. }
  212. /**
  213. * Check if tag is trusted.
  214. *
  215. * @param string $tag_name
  216. * @param object $compiler compiler object
  217. * @return boolean true if tag is trusted
  218. * @throws SmartyCompilerException if modifier is not trusted
  219. */
  220. public function isTrustedTag($tag_name, $compiler)
  221. {
  222. // check for internal always required tags
  223. if (in_array($tag_name, array('assign', 'call', 'private_filter', 'private_block_plugin', 'private_function_plugin', 'private_object_block_function',
  224. 'private_object_function', 'private_registered_function', 'private_registered_block', 'private_special_variable', 'private_print_expression', 'private_modifier'))) {
  225. return true;
  226. }
  227. // check security settings
  228. if (empty($this->allowed_tags)) {
  229. if (empty($this->disabled_tags) || !in_array($tag_name, $this->disabled_tags)) {
  230. return true;
  231. } else {
  232. $compiler->trigger_template_error("tag '{$tag_name}' disabled by security setting", $compiler->lex->taglineno);
  233. }
  234. } else if (in_array($tag_name, $this->allowed_tags) && !in_array($tag_name, $this->disabled_tags)) {
  235. return true;
  236. } else {
  237. $compiler->trigger_template_error("tag '{$tag_name}' not allowed by security setting", $compiler->lex->taglineno);
  238. }
  239. return false; // should not, but who knows what happens to the compiler in the future?
  240. }
  241. /**
  242. * Check if modifier plugin is trusted.
  243. *
  244. * @param string $modifier_name
  245. * @param object $compiler compiler object
  246. * @return boolean true if tag is trusted
  247. * @throws SmartyCompilerException if modifier is not trusted
  248. */
  249. public function isTrustedModifier($modifier_name, $compiler)
  250. {
  251. // check for internal always allowed modifier
  252. if (in_array($modifier_name, array('default'))) {
  253. return true;
  254. }
  255. // check security settings
  256. if (empty($this->allowed_modifiers)) {
  257. if (empty($this->disabled_modifiers) || !in_array($modifier_name, $this->disabled_modifiers)) {
  258. return true;
  259. } else {
  260. $compiler->trigger_template_error("modifier '{$modifier_name}' disabled by security setting", $compiler->lex->taglineno);
  261. }
  262. } else if (in_array($modifier_name, $this->allowed_modifiers) && !in_array($modifier_name, $this->disabled_modifiers)) {
  263. return true;
  264. } else {
  265. $compiler->trigger_template_error("modifier '{$modifier_name}' not allowed by security setting", $compiler->lex->taglineno);
  266. }
  267. return false; // should not, but who knows what happens to the compiler in the future?
  268. }
  269. /**
  270. * Check if stream is trusted.
  271. *
  272. * @param string $stream_name
  273. * @return boolean true if stream is trusted
  274. * @throws SmartyException if stream is not trusted
  275. */
  276. public function isTrustedStream($stream_name)
  277. {
  278. if (isset($this->streams) && (empty($this->streams) || in_array($stream_name, $this->streams))) {
  279. return true;
  280. }
  281. throw new SmartyException("stream '{$stream_name}' not allowed by security setting");
  282. }
  283. /**
  284. * Check if directory of file resource is trusted.
  285. *
  286. * @param string $filepath
  287. * @return boolean true if directory is trusted
  288. * @throws SmartyException if directory is not trusted
  289. */
  290. public function isTrustedResourceDir($filepath)
  291. {
  292. $_template = false;
  293. $_config = false;
  294. $_secure = false;
  295. $_template_dir = $this->smarty->getTemplateDir();
  296. $_config_dir = $this->smarty->getConfigDir();
  297. // check if index is outdated
  298. if ((!$this->_template_dir || $this->_template_dir !== $_template_dir)
  299. || (!$this->_config_dir || $this->_config_dir !== $_config_dir)
  300. || (!empty($this->secure_dir) && (!$this->_secure_dir || $this->_secure_dir !== $this->secure_dir))
  301. ) {
  302. $this->_resource_dir = array();
  303. $_template = true;
  304. $_config = true;
  305. $_secure = !empty($this->secure_dir);
  306. }
  307. // rebuild template dir index
  308. if ($_template) {
  309. $this->_template_dir = $_template_dir;
  310. foreach ($_template_dir as $directory) {
  311. $directory = realpath($directory);
  312. $this->_resource_dir[$directory] = true;
  313. }
  314. }
  315. // rebuild config dir index
  316. if ($_config) {
  317. $this->_config_dir = $_config_dir;
  318. foreach ($_config_dir as $directory) {
  319. $directory = realpath($directory);
  320. $this->_resource_dir[$directory] = true;
  321. }
  322. }
  323. // rebuild secure dir index
  324. if ($_secure) {
  325. $this->_secure_dir = $this->secure_dir;
  326. foreach ((array) $this->secure_dir as $directory) {
  327. $directory = realpath($directory);
  328. $this->_resource_dir[$directory] = true;
  329. }
  330. }
  331. $_filepath = realpath($filepath);
  332. $directory = dirname($_filepath);
  333. $_directory = array();
  334. while (true) {
  335. // remember the directory to add it to _resource_dir in case we're successful
  336. $_directory[] = $directory;
  337. // test if the directory is trusted
  338. if (isset($this->_resource_dir[$directory])) {
  339. // merge sub directories of current $directory into _resource_dir to speed up subsequent lookups
  340. $this->_resource_dir = array_merge($this->_resource_dir, $_directory);
  341. return true;
  342. }
  343. // abort if we've reached root
  344. if (($pos = strrpos($directory, DS)) === false || !isset($directory[1])) {
  345. break;
  346. }
  347. // bubble up one level
  348. $directory = substr($directory, 0, $pos);
  349. }
  350. // give up
  351. throw new SmartyException("directory '{$_filepath}' not allowed by security setting");
  352. }
  353. /**
  354. * Check if directory of file resource is trusted.
  355. *
  356. * @param string $filepath
  357. * @return boolean true if directory is trusted
  358. * @throws SmartyException if PHP directory is not trusted
  359. */
  360. public function isTrustedPHPDir($filepath)
  361. {
  362. if (empty($this->trusted_dir)) {
  363. throw new SmartyException("directory '{$filepath}' not allowed by security setting (no trusted_dir specified)");
  364. }
  365. // check if index is outdated
  366. if (!$this->_trusted_dir || $this->_trusted_dir !== $this->trusted_dir) {
  367. $this->_php_resource_dir = array();
  368. $this->_trusted_dir = $this->trusted_dir;
  369. foreach ((array) $this->trusted_dir as $directory) {
  370. $directory = realpath($directory);
  371. $this->_php_resource_dir[$directory] = true;
  372. }
  373. }
  374. $_filepath = realpath($filepath);
  375. $directory = dirname($_filepath);
  376. $_directory = array();
  377. while (true) {
  378. // remember the directory to add it to _resource_dir in case we're successful
  379. $_directory[] = $directory;
  380. // test if the directory is trusted
  381. if (isset($this->_php_resource_dir[$directory])) {
  382. // merge sub directories of current $directory into _resource_dir to speed up subsequent lookups
  383. $this->_php_resource_dir = array_merge($this->_php_resource_dir, $_directory);
  384. return true;
  385. }
  386. // abort if we've reached root
  387. if (($pos = strrpos($directory, DS)) === false || !isset($directory[2])) {
  388. break;
  389. }
  390. // bubble up one level
  391. $directory = substr($directory, 0, $pos);
  392. }
  393. throw new SmartyException("directory '{$_filepath}' not allowed by security setting");
  394. }
  395. }
  396. ?>