smarty_security.php 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459
  1. <?php
  2. /**
  3. * Smarty plugin
  4. *
  5. * @package Smarty
  6. * @subpackage Security
  7. * @author Uwe Tews
  8. */
  9. /*
  10. * FIXME: Smarty_Security API
  11. * - getter and setter instead of public properties would allow cultivating an internal cache properly
  12. * - current implementation of isTrustedResourceDir() assumes that Smarty::$template_dir and Smarty::$config_dir are immutable
  13. * the cache is killed every time either of the variables change. That means that two distinct Smarty objects with differing
  14. * $template_dir or $config_dir should NOT share the same Smarty_Security instance,
  15. * as this would lead to (severe) performance penalty! how should this be handled?
  16. */
  17. /**
  18. * This class does contain the security settings
  19. */
  20. class Smarty_Security {
  21. /**
  22. * This determines how Smarty handles "<?php ... ?>" tags in templates.
  23. * possible values:
  24. * <ul>
  25. * <li>Smarty::PHP_PASSTHRU -> echo PHP tags as they are</li>
  26. * <li>Smarty::PHP_QUOTE -> escape tags as entities</li>
  27. * <li>Smarty::PHP_REMOVE -> remove php tags</li>
  28. * <li>Smarty::PHP_ALLOW -> execute php tags</li>
  29. * </ul>
  30. *
  31. * @var integer
  32. */
  33. public $php_handling = Smarty::PHP_PASSTHRU;
  34. /**
  35. * This is the list of template directories that are considered secure.
  36. * $template_dir is in this list implicitly.
  37. *
  38. * @var array
  39. */
  40. public $secure_dir = array();
  41. /**
  42. * This is an array of directories where trusted php scripts reside.
  43. * {@link $security} is disabled during their inclusion/execution.
  44. *
  45. * @var array
  46. */
  47. public $trusted_dir = array();
  48. /**
  49. * List of regular expressions (PCRE) that include trusted URIs
  50. *
  51. * @var array
  52. */
  53. public $trusted_uri = array();
  54. /**
  55. * This is an array of trusted static classes.
  56. *
  57. * If empty access to all static classes is allowed.
  58. * If set to 'none' none is allowed.
  59. * @var array
  60. */
  61. public $static_classes = array();
  62. /**
  63. * This is an array of trusted PHP functions.
  64. *
  65. * If empty all functions are allowed.
  66. * To disable all PHP functions set $php_functions = null.
  67. * @var array
  68. */
  69. public $php_functions = array(
  70. 'isset', 'empty',
  71. 'count', 'sizeof',
  72. 'in_array', 'is_array',
  73. 'time',
  74. 'nl2br',
  75. );
  76. /**
  77. * This is an array of trusted PHP modifers.
  78. *
  79. * If empty all modifiers are allowed.
  80. * To disable all modifier set $modifiers = null.
  81. * @var array
  82. */
  83. public $php_modifiers = array(
  84. 'escape',
  85. 'count'
  86. );
  87. /**
  88. * This is an array of allowed tags.
  89. *
  90. * If empty no restriction by allowed_tags.
  91. * @var array
  92. */
  93. public $allowed_tags = array();
  94. /**
  95. * This is an array of disabled tags.
  96. *
  97. * If empty no restriction by disabled_tags.
  98. * @var array
  99. */
  100. public $disabled_tags = array();
  101. /**
  102. * This is an array of allowed modifier plugins.
  103. *
  104. * If empty no restriction by allowed_modifiers.
  105. * @var array
  106. */
  107. public $allowed_modifiers = array();
  108. /**
  109. * This is an array of disabled modifier plugins.
  110. *
  111. * If empty no restriction by disabled_modifiers.
  112. * @var array
  113. */
  114. public $disabled_modifiers = array();
  115. /**
  116. * This is an array of trusted streams.
  117. *
  118. * If empty all streams are allowed.
  119. * To disable all streams set $streams = null.
  120. * @var array
  121. */
  122. public $streams = array('file');
  123. /**
  124. * + flag if constants can be accessed from template
  125. * @var boolean
  126. */
  127. public $allow_constants = true;
  128. /**
  129. * + flag if super globals can be accessed from template
  130. * @var boolean
  131. */
  132. public $allow_super_globals = true;
  133. /**
  134. * Cache for $resource_dir lookups
  135. * @var array
  136. */
  137. protected $_resource_dir = null;
  138. /**
  139. * Cache for $template_dir lookups
  140. * @var array
  141. */
  142. protected $_template_dir = null;
  143. /**
  144. * Cache for $config_dir lookups
  145. * @var array
  146. */
  147. protected $_config_dir = null;
  148. /**
  149. * Cache for $secure_dir lookups
  150. * @var array
  151. */
  152. protected $_secure_dir = null;
  153. /**
  154. * Cache for $php_resource_dir lookups
  155. * @var array
  156. */
  157. protected $_php_resource_dir = null;
  158. /**
  159. * Cache for $trusted_dir lookups
  160. * @var array
  161. */
  162. protected $_trusted_dir = null;
  163. /**
  164. * @param Smarty $smarty
  165. */
  166. public function __construct($smarty)
  167. {
  168. $this->smarty = $smarty;
  169. }
  170. /**
  171. * Check if PHP function is trusted.
  172. *
  173. * @param string $function_name
  174. * @param object $compiler compiler object
  175. * @return boolean true if function is trusted
  176. * @throws SmartyCompilerException if php function is not trusted
  177. */
  178. public function isTrustedPhpFunction($function_name, $compiler)
  179. {
  180. if (isset($this->php_functions) && (empty($this->php_functions) || in_array($function_name, $this->php_functions))) {
  181. return true;
  182. }
  183. $compiler->trigger_template_error("PHP function '{$function_name}' not allowed by security setting");
  184. return false; // should not, but who knows what happens to the compiler in the future?
  185. }
  186. /**
  187. * Check if static class is trusted.
  188. *
  189. * @param string $class_name
  190. * @param object $compiler compiler object
  191. * @return boolean true if class is trusted
  192. * @throws SmartyCompilerException if static class is not trusted
  193. */
  194. public function isTrustedStaticClass($class_name, $compiler)
  195. {
  196. if (isset($this->static_classes) && (empty($this->static_classes) || in_array($class_name, $this->static_classes))) {
  197. return true;
  198. }
  199. $compiler->trigger_template_error("access to static class '{$class_name}' not allowed by security setting");
  200. return false; // should not, but who knows what happens to the compiler in the future?
  201. }
  202. /**
  203. * Check if PHP modifier is trusted.
  204. *
  205. * @param string $modifier_name
  206. * @param object $compiler compiler object
  207. * @return boolean true if modifier is trusted
  208. * @throws SmartyCompilerException if modifier is not trusted
  209. */
  210. public function isTrustedPhpModifier($modifier_name, $compiler)
  211. {
  212. if (isset($this->php_modifiers) && (empty($this->php_modifiers) || in_array($modifier_name, $this->php_modifiers))) {
  213. return true;
  214. }
  215. $compiler->trigger_template_error("modifier '{$modifier_name}' not allowed by security setting");
  216. return false; // should not, but who knows what happens to the compiler in the future?
  217. }
  218. /**
  219. * Check if tag is trusted.
  220. *
  221. * @param string $tag_name
  222. * @param object $compiler compiler object
  223. * @return boolean true if tag is trusted
  224. * @throws SmartyCompilerException if modifier is not trusted
  225. */
  226. public function isTrustedTag($tag_name, $compiler)
  227. {
  228. // check for internal always required tags
  229. if (in_array($tag_name, array('assign', 'call', 'private_filter', 'private_block_plugin', 'private_function_plugin', 'private_object_block_function',
  230. 'private_object_function', 'private_registered_function', 'private_registered_block', 'private_special_variable', 'private_print_expression', 'private_modifier'))) {
  231. return true;
  232. }
  233. // check security settings
  234. if (empty($this->allowed_tags)) {
  235. if (empty($this->disabled_tags) || !in_array($tag_name, $this->disabled_tags)) {
  236. return true;
  237. } else {
  238. $compiler->trigger_template_error("tag '{$tag_name}' disabled by security setting", $compiler->lex->taglineno);
  239. }
  240. } else if (in_array($tag_name, $this->allowed_tags) && !in_array($tag_name, $this->disabled_tags)) {
  241. return true;
  242. } else {
  243. $compiler->trigger_template_error("tag '{$tag_name}' not allowed by security setting", $compiler->lex->taglineno);
  244. }
  245. return false; // should not, but who knows what happens to the compiler in the future?
  246. }
  247. /**
  248. * Check if modifier plugin is trusted.
  249. *
  250. * @param string $modifier_name
  251. * @param object $compiler compiler object
  252. * @return boolean true if tag is trusted
  253. * @throws SmartyCompilerException if modifier is not trusted
  254. */
  255. public function isTrustedModifier($modifier_name, $compiler)
  256. {
  257. // check for internal always allowed modifier
  258. if (in_array($modifier_name, array('default'))) {
  259. return true;
  260. }
  261. // check security settings
  262. if (empty($this->allowed_modifiers)) {
  263. if (empty($this->disabled_modifiers) || !in_array($modifier_name, $this->disabled_modifiers)) {
  264. return true;
  265. } else {
  266. $compiler->trigger_template_error("modifier '{$modifier_name}' disabled by security setting", $compiler->lex->taglineno);
  267. }
  268. } else if (in_array($modifier_name, $this->allowed_modifiers) && !in_array($modifier_name, $this->disabled_modifiers)) {
  269. return true;
  270. } else {
  271. $compiler->trigger_template_error("modifier '{$modifier_name}' not allowed by security setting", $compiler->lex->taglineno);
  272. }
  273. return false; // should not, but who knows what happens to the compiler in the future?
  274. }
  275. /**
  276. * Check if stream is trusted.
  277. *
  278. * @param string $stream_name
  279. * @return boolean true if stream is trusted
  280. * @throws SmartyException if stream is not trusted
  281. */
  282. public function isTrustedStream($stream_name)
  283. {
  284. if (isset($this->streams) && (empty($this->streams) || in_array($stream_name, $this->streams))) {
  285. return true;
  286. }
  287. throw new SmartyException("stream '{$stream_name}' not allowed by security setting");
  288. }
  289. /**
  290. * Check if directory of file resource is trusted.
  291. *
  292. * @param string $filepath
  293. * @return boolean true if directory is trusted
  294. * @throws SmartyException if directory is not trusted
  295. */
  296. public function isTrustedResourceDir($filepath)
  297. {
  298. $_template = false;
  299. $_config = false;
  300. $_secure = false;
  301. $_template_dir = $this->smarty->getTemplateDir();
  302. $_config_dir = $this->smarty->getConfigDir();
  303. // check if index is outdated
  304. if ((!$this->_template_dir || $this->_template_dir !== $_template_dir)
  305. || (!$this->_config_dir || $this->_config_dir !== $_config_dir)
  306. || (!empty($this->secure_dir) && (!$this->_secure_dir || $this->_secure_dir !== $this->secure_dir))
  307. ) {
  308. $this->_resource_dir = array();
  309. $_template = true;
  310. $_config = true;
  311. $_secure = !empty($this->secure_dir);
  312. }
  313. // rebuild template dir index
  314. if ($_template) {
  315. $this->_template_dir = $_template_dir;
  316. foreach ($_template_dir as $directory) {
  317. $directory = realpath($directory);
  318. $this->_resource_dir[$directory] = true;
  319. }
  320. }
  321. // rebuild config dir index
  322. if ($_config) {
  323. $this->_config_dir = $_config_dir;
  324. foreach ($_config_dir as $directory) {
  325. $directory = realpath($directory);
  326. $this->_resource_dir[$directory] = true;
  327. }
  328. }
  329. // rebuild secure dir index
  330. if ($_secure) {
  331. $this->_secure_dir = $this->secure_dir;
  332. foreach ((array) $this->secure_dir as $directory) {
  333. $directory = realpath($directory);
  334. $this->_resource_dir[$directory] = true;
  335. }
  336. }
  337. $_filepath = realpath($filepath);
  338. $directory = dirname($_filepath);
  339. $_directory = array();
  340. while (true) {
  341. // remember the directory to add it to _resource_dir in case we're successful
  342. $_directory[$directory] = true;
  343. // test if the directory is trusted
  344. if (isset($this->_resource_dir[$directory])) {
  345. // merge sub directories of current $directory into _resource_dir to speed up subsequent lookups
  346. $this->_resource_dir = array_merge($this->_resource_dir, $_directory);
  347. return true;
  348. }
  349. // abort if we've reached root
  350. if (($pos = strrpos($directory, DS)) === false || !isset($directory[1])) {
  351. break;
  352. }
  353. // bubble up one level
  354. $directory = substr($directory, 0, $pos);
  355. }
  356. // give up
  357. throw new SmartyException("directory '{$_filepath}' not allowed by security setting");
  358. }
  359. /**
  360. * Check if URI (e.g. {fetch} or {html_image}) is trusted
  361. *
  362. * To simplify things, isTrustedUri() resolves all input to "{$PROTOCOL}://{$HOSTNAME}".
  363. * So "http://username:password@hello.world.example.org:8080/some-path?some=query-string"
  364. * is reduced to "http://hello.world.example.org" prior to applying the patters from {@link $trusted_uri}.
  365. * @param string $uri
  366. * @return boolean true if URI is trusted
  367. * @throws SmartyException if URI is not trusted
  368. * @uses $trusted_uri for list of patterns to match against $uri
  369. */
  370. public function isTrustedUri($uri)
  371. {
  372. $_uri = parse_url($uri);
  373. if (!empty($_uri['scheme']) && !empty($_uri['host'])) {
  374. $_uri = $_uri['scheme'] . '://' . $_uri['host'];
  375. foreach ($this->trusted_uri as $pattern) {
  376. if (preg_match($pattern, $_uri)) {
  377. return true;
  378. }
  379. }
  380. }
  381. throw new SmartyException("URI '{$uri}' not allowed by security setting");
  382. }
  383. /**
  384. * Check if directory of file resource is trusted.
  385. *
  386. * @param string $filepath
  387. * @return boolean true if directory is trusted
  388. * @throws SmartyException if PHP directory is not trusted
  389. */
  390. public function isTrustedPHPDir($filepath)
  391. {
  392. if (empty($this->trusted_dir)) {
  393. throw new SmartyException("directory '{$filepath}' not allowed by security setting (no trusted_dir specified)");
  394. }
  395. // check if index is outdated
  396. if (!$this->_trusted_dir || $this->_trusted_dir !== $this->trusted_dir) {
  397. $this->_php_resource_dir = array();
  398. $this->_trusted_dir = $this->trusted_dir;
  399. foreach ((array) $this->trusted_dir as $directory) {
  400. $directory = realpath($directory);
  401. $this->_php_resource_dir[$directory] = true;
  402. }
  403. }
  404. $_filepath = realpath($filepath);
  405. $directory = dirname($_filepath);
  406. $_directory = array();
  407. while (true) {
  408. // remember the directory to add it to _resource_dir in case we're successful
  409. $_directory[] = $directory;
  410. // test if the directory is trusted
  411. if (isset($this->_php_resource_dir[$directory])) {
  412. // merge sub directories of current $directory into _resource_dir to speed up subsequent lookups
  413. $this->_php_resource_dir = array_merge($this->_php_resource_dir, $_directory);
  414. return true;
  415. }
  416. // abort if we've reached root
  417. if (($pos = strrpos($directory, DS)) === false || !isset($directory[2])) {
  418. break;
  419. }
  420. // bubble up one level
  421. $directory = substr($directory, 0, $pos);
  422. }
  423. throw new SmartyException("directory '{$_filepath}' not allowed by security setting");
  424. }
  425. }
  426. ?>