Allow plugins to use fetch() call without the need to do any weird security_settings[INCLUDE_ALL] redirections

2011-12-22 12:16:34 +01:00
parent 2f8601ee06
commit 933c63c904
2 changed files with 23 additions and 3 deletions
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -3,7 +3,17 @@
 Version 1.7 ()
 ------------------------------------------------------------------------

-    * Patch by Markus Brükner: Properly handle files that have no
+   * Allow Smarty to fetch .tpl files from all directories so that
+     s9y plugin can use the fetch() call for their .tpl files no
+     matter which (symlinked) directory the plugin resides in.
+     The Smarty security policy to us only serves as a restriction
+     within .tpl files to not allow arbitrary PHP modifier/function calls.
+     If in the future Smarty supports enforcing trustedDir checks on
+     {include} calls seperately to smarty->fetch() calls, we'll also
+     add that to .tpl files.
+     (garvinhicking)
+     
+   * Patch by Markus Brükner: Properly handle files that have no
      extension in media database

    * Made Spartacus recognize github.com mirror (garvinhicking)
--- a/include/serendipity_smarty_class.inc.php
+++ b/include/serendipity_smarty_class.inc.php
@@ -35,6 +35,16 @@ class Serendipity_Smarty_Security_Policy extends Smarty_Security
    // to test this - overwrites Serendipity_Smarty::default_modifiers and Serendipity_Smarty_Security_Policy::php_modifiers - modifier 'escape' not allowed by security setting
    #public $allowed_modifiers = array('escape:"htmlall"');
    
+    // This allows the fetch() and include calls to pull .tpl files from any directory,
+    // so that symlinked plugin directories outside the s9y path can be included properly.
+    // TODO / FUTURE: If Smarty will implement a seperation option to dissect fetch() from
+    // {include} calls, we should only apply this workaround to fetch() calls.
+    // Redirecting fetch() as our custom function is too risky and has too high a performance
+    // impact.
+    public function isTrustedResourceDir($path) {
+        return true;
+    }
+    
    static public function test() 
      { 
        var_dump(get_called_class());
@@ -51,9 +61,9 @@ class Serendipity_Smarty extends Smarty
    public function __set($name, $value) {
        if ($name == 'security') {
            if ($value) {
-                $this->enableSecurity('Serendipity_Smarty_Security_Policy');
+                 $this->enableSecurity('Serendipity_Smarty_Security_Policy');
            } else {
-                $this->disableSecurity();
+                 $this->disableSecurity();
            }    
        } else {
            parent::__set($name, $value);