Thread: SF.net SVN: postfixadmin:[760] trunk/smarty.inc.php
Brought to you by:
christian_boltz,
gingerdog
From: <Seb...@us...> - 2009-11-06 19:22:26
|
Revision: 760 http://postfixadmin.svn.sourceforge.net/postfixadmin/?rev=760&view=rev Author: Sebastian2009 Date: 2009-11-06 19:22:15 +0000 (Fri, 06 Nov 2009) Log Message: ----------- - add <?php tags. Modified Paths: -------------- trunk/smarty.inc.php Modified: trunk/smarty.inc.php =================================================================== --- trunk/smarty.inc.php 2009-11-06 19:16:14 UTC (rev 759) +++ trunk/smarty.inc.php 2009-11-06 19:22:15 UTC (rev 760) @@ -1,4 +1,4 @@ -<? +<?php require_once ("$incpath/smarty/libs/Smarty.class.php"); $smarty = new Smarty; @@ -53,4 +53,4 @@ else {$ret_val = $aSize; } return $ret_val; } -?> \ No newline at end of file +php?> \ No newline at end of file This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <Seb...@us...> - 2009-11-07 18:42:09
|
Revision: 762 http://postfixadmin.svn.sourceforge.net/postfixadmin/?rev=762&view=rev Author: Sebastian2009 Date: 2009-11-07 18:41:59 +0000 (Sat, 07 Nov 2009) Log Message: ----------- - fixed one more short open tag. Modified Paths: -------------- trunk/smarty.inc.php Modified: trunk/smarty.inc.php =================================================================== --- trunk/smarty.inc.php 2009-11-06 19:23:07 UTC (rev 761) +++ trunk/smarty.inc.php 2009-11-07 18:41:59 UTC (rev 762) @@ -33,7 +33,7 @@ if (file_exists ($CONF ['postfix_admin_path'].'/templates/'.$motd_file)) $smarty->assign ('motd_file', $motd_file); ?> -<? +<?php function select_options ($aValues, $aSelected) { $ret_val = ''; This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <Gin...@us...> - 2009-12-02 10:33:10
|
Revision: 782 http://postfixadmin.svn.sourceforge.net/postfixadmin/?rev=782&view=rev Author: GingerDog Date: 2009-12-02 10:33:04 +0000 (Wed, 02 Dec 2009) Log Message: ----------- extend the Smarty class so when assigning data to it, it is automatically escaped (unless specified otherwise with a 3rd parameter (false) in the assign function call). This will probably cause some breakage esp where translations have html embedded within them - however i would rather this were the case than the application be vulnerable to XSS Modified Paths: -------------- trunk/smarty.inc.php Modified: trunk/smarty.inc.php =================================================================== --- trunk/smarty.inc.php 2009-12-02 10:31:30 UTC (rev 781) +++ trunk/smarty.inc.php 2009-12-02 10:33:04 UTC (rev 782) @@ -1,8 +1,41 @@ <?php require_once ("$incpath/smarty/libs/Smarty.class.php"); -$smarty = new Smarty; +/** + * Turn on sanitisation of all data by default so it's not possible for XSS flaws to occur in PFA + */ +class PFASmarty extends Smarty { + public function assign($key, $value, $sanitise = true) { + if($sanitise == false) { + return parent::assign($key, $value); + } + $clean = $this->sanitise($value); + /* we won't run the key through sanitise() here... some might argue we should */ + return parent::assign($key, $clean); + } + /** + * Recursive cleaning of data, using htmlentities - this assumes we only ever output to HTML and we're outputting in UTF-8 charset + * + * @param mixed $data - array or primitive type; objects not supported. + * @return mixed $data + * */ + public function sanitise($data) { + if(!is_array($data)) { + return htmlentities($data, ENT_QUOTES, 'UTF-8'); + } + if(is_array($data)) { + $clean = array(); + foreach($data as $key => $value) { + /* as this is a nested data structure it's more likely we'll output the key too (at least in my opinion, so we'll sanitise it too */ + $clean[$this->sanitise($key)] = $this->sanitise($value); + } + return $clean; + } + } +} +$smarty = new PFASmarty(); + //$smarty->debugging = true; $smarty->template_dir = $incpath.'/templates'; @@ -30,10 +63,11 @@ { $motd_file = "motd.txt"; } -if (file_exists ($CONF ['postfix_admin_path'].'/templates/'.$motd_file)) - $smarty->assign ('motd_file', $motd_file); +if (file_exists ($CONF ['postfix_admin_path'].'/templates/'.$motd_file)) { + $smarty->assign ('motd_file', $motd_file); +} -function select_options ($aValues, $aSelected) +function select_options($aValues, $aSelected) { $ret_val = ''; foreach ($aValues as $val) This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <Gin...@us...> - 2011-02-07 23:29:19
|
Revision: 949 http://postfixadmin.svn.sourceforge.net/postfixadmin/?rev=949&view=rev Author: GingerDog Date: 2011-02-07 23:29:13 +0000 (Mon, 07 Feb 2011) Log Message: ----------- remove strict standards issue with redefinition of smarty::assign() with different parameters than parent class; ideally I should not put the __get/__set/__call methods in here as living without them would reduce our dependency on smarty, but meh (PFASmarty should stil appear and BEHAVE like a Smarty object, it just technically is not one - it is just using one Modified Paths: -------------- trunk/smarty.inc.php Modified: trunk/smarty.inc.php =================================================================== --- trunk/smarty.inc.php 2011-02-07 23:27:19 UTC (rev 948) +++ trunk/smarty.inc.php 2011-02-07 23:29:13 UTC (rev 949) @@ -4,16 +4,33 @@ /** * Turn on sanitisation of all data by default so it's not possible for XSS flaws to occur in PFA */ -class PFASmarty extends Smarty { +class PFASmarty { + protected $template = null; + public function __construct() { + $this->template = new Smarty(); + } + public function assign($key, $value, $sanitise = true) { if($sanitise == false) { - return parent::assign($key, $value); + return $this->template->assign($key, $value); } $clean = $this->sanitise($value); /* we won't run the key through sanitise() here... some might argue we should */ - return parent::assign($key, $clean); + return $this->template->assign($key, $clean); } + public function __set($key, $value) { + $this->template->$key = $value; + } + public function __get($key) { + return $this->template->$key; + } + public function __call($method, $params) { + return call_user_func_array($this->template->$method, $params); + } + public function display($template) { + $this->template->display($template); + } /** * Recursive cleaning of data, using htmlentities - this assumes we only ever output to HTML and we're outputting in UTF-8 charset * @@ -39,7 +56,18 @@ //$smarty->debugging = true; $smarty->template_dir = $incpath.'/templates'; -$smarty->compile_dir = $incpath.'/templates_c'; +if(is_writeable('/tmp')) { + if(!is_dir('/tmp/postfixadmin_templates_c')) { + mkdir('/tmp/postfixadmin_templates_c'); + } +} +if(is_writeable('/tmp/postfixadmin_templates_c')) { + $smarty->compile_dir = '/tmp/postfixadmin_templates_c'; +} +else { + $smarty->compile_dir = $incpath.'/templates_c'; +} + $smarty->config_dir = $incpath.'/'.$smarty->config_dir; $CONF['theme_css'] = $CONF['postfix_admin_url'].'/'.htmlentities($CONF['theme_css']); @@ -47,7 +75,7 @@ $smarty->assign ('CONF', $CONF); $smarty->assign ('PALANG', $PALANG); - +$smarty->assign('url_domain', ''); //*** footer.tpl $smarty->assign ('version', $version); @@ -63,6 +91,7 @@ { $motd_file = "motd.txt"; } +$smarty->assign('motd_file', ''); if (file_exists ($CONF ['postfix_admin_path'].'/templates/'.$motd_file)) { $smarty->assign ('motd_file', $motd_file); } This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <chr...@us...> - 2011-02-13 22:15:28
|
Revision: 957 http://postfixadmin.svn.sourceforge.net/postfixadmin/?rev=957&view=rev Author: christian_boltz Date: 2011-02-13 22:15:22 +0000 (Sun, 13 Feb 2011) Log Message: ----------- smarty.inc.php: interface cleanup etc. - move initialisation of $smarty->template_dir, compile_dir and config_dir into __construct() of PFASmarty class - remove usage of /tmp/postfixadmin_templates_c/ to avoid security risks (symlink attacks etc.) - remove __set, __get and __call from PFASmarty class to ensure we have a clearly documented interface to the template layer - whitespace changes (mostly in select_options()) - added vim: line See also the discussion about the r949 commit in postfixadmin-devel for details. Modified Paths: -------------- trunk/smarty.inc.php Modified: trunk/smarty.inc.php =================================================================== --- trunk/smarty.inc.php 2011-02-13 17:10:51 UTC (rev 956) +++ trunk/smarty.inc.php 2011-02-13 22:15:22 UTC (rev 957) @@ -8,6 +8,12 @@ protected $template = null; public function __construct() { $this->template = new Smarty(); + + //$smarty->debugging = true; + $incpath = dirname(__FILE__); + $smarty->template_dir = $incpath.'/templates'; + $smarty->compile_dir = $incpath.'/templates_c'; + $smarty->config_dir = $incpath.'/'.$smarty->config_dir; } public function assign($key, $value, $sanitise = true) { @@ -19,15 +25,6 @@ return $this->template->assign($key, $clean); } - public function __set($key, $value) { - $this->template->$key = $value; - } - public function __get($key) { - return $this->template->$key; - } - public function __call($method, $params) { - return call_user_func_array($this->template->$method, $params); - } public function display($template) { $this->template->display($template); } @@ -53,26 +50,9 @@ } $smarty = new PFASmarty(); -//$smarty->debugging = true; +$CONF['theme_css'] = $CONF['postfix_admin_url'].'/'.htmlentities($CONF['theme_css']); +$CONF['theme_logo'] = $CONF['postfix_admin_url'].'/'.htmlentities($CONF['theme_logo']); -$smarty->template_dir = $incpath.'/templates'; -if(is_writeable('/tmp')) { - if(!is_dir('/tmp/postfixadmin_templates_c')) { - mkdir('/tmp/postfixadmin_templates_c'); - } -} -if(is_writeable('/tmp/postfixadmin_templates_c')) { - $smarty->compile_dir = '/tmp/postfixadmin_templates_c'; -} -else { - $smarty->compile_dir = $incpath.'/templates_c'; -} - -$smarty->config_dir = $incpath.'/'.$smarty->config_dir; - -$CONF['theme_css'] = $CONF['postfix_admin_url'].'/'.htmlentities($CONF['theme_css']); -$CONF['theme_logo'] = $CONF['postfix_admin_url'].'/'.htmlentities($CONF['theme_logo']); - $smarty->assign ('CONF', $CONF); $smarty->assign ('PALANG', $PALANG); $smarty->assign('url_domain', ''); @@ -85,11 +65,11 @@ if (authentication_has_role('global-admin')) { - $motd_file = "motd-admin.txt"; + $motd_file = "motd-admin.txt"; } else { - $motd_file = "motd.txt"; + $motd_file = "motd.txt"; } $smarty->assign('motd_file', ''); if (file_exists ($CONF ['postfix_admin_path'].'/templates/'.$motd_file)) { @@ -98,15 +78,15 @@ function select_options($aValues, $aSelected) { - $ret_val = ''; - foreach ($aValues as $val) - { - $ret_val .= '<option value="'.$val.'"'; - if (in_array ($val, $aSelected)) - $ret_val .= ' selected="selected"'; - $ret_val .= '>'.$val.'</option>'; - } - return $ret_val; + $ret_val = ''; + foreach ($aValues as $val) + { + $ret_val .= '<option value="'.$val.'"'; + if (in_array ($val, $aSelected)) + $ret_val .= ' selected="selected"'; + $ret_val .= '>'.$val.'</option>'; + } + return $ret_val; } function eval_size ($aSize) { @@ -115,4 +95,5 @@ else {$ret_val = $aSize; } return $ret_val; } +/* vim: set expandtab softtabstop=4 tabstop=4 shiftwidth=4: */ ?> This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <gin...@us...> - 2016-12-21 21:26:04
|
Revision: 1886 http://sourceforge.net/p/postfixadmin/code/1886 Author: gingerdog Date: 2016-12-21 21:26:02 +0000 (Wed, 21 Dec 2016) Log Message: ----------- check whether we can use templates_c (this seems a better idea than falling back to using something in /tmp) Modified Paths: -------------- trunk/smarty.inc.php Modified: trunk/smarty.inc.php =================================================================== --- trunk/smarty.inc.php 2016-12-21 21:20:21 UTC (rev 1885) +++ trunk/smarty.inc.php 2016-12-21 21:26:02 UTC (rev 1886) @@ -14,7 +14,13 @@ //$this->template->debugging = true; $incpath = dirname(__FILE__); $this->template->setTemplateDir(dirname(__FILE__) . '/templates'); - $this->template->setCompileDir(dirname(__FILE__) . '/templates_c'); + + // if it's not present or writeable, smarty should just not cache. + $templates_c = dirname(__FILE__) . '/templates_c'; + if(is_dir($templates_c) && is_writeable($templates_c)) { + $this->template->setCompileDir($templates_c); + } + $this->template->setConfigDir(dirname(__FILE__) . '/configs'); } This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <chr...@us...> - 2011-02-14 18:32:42
|
Revision: 964 http://postfixadmin.svn.sourceforge.net/postfixadmin/?rev=964&view=rev Author: christian_boltz Date: 2011-02-14 18:32:36 +0000 (Mon, 14 Feb 2011) Log Message: ----------- smarty.inc.php: - use correct variable name instead of $smarty in __construct() - everything else in this commit: whitespace changes Modified Paths: -------------- trunk/smarty.inc.php Modified: trunk/smarty.inc.php =================================================================== --- trunk/smarty.inc.php 2011-02-14 18:30:13 UTC (rev 963) +++ trunk/smarty.inc.php 2011-02-14 18:32:36 UTC (rev 964) @@ -9,11 +9,11 @@ public function __construct() { $this->template = new Smarty(); - //$smarty->debugging = true; + //$this->template->debugging = true; $incpath = dirname(__FILE__); - $smarty->template_dir = $incpath.'/templates'; - $smarty->compile_dir = $incpath.'/templates_c'; - $smarty->config_dir = $incpath.'/'.$smarty->config_dir; + $this->template->template_dir = $incpath.'/templates'; + $this->template->compile_dir = $incpath.'/templates_c'; + $this->template->config_dir = $incpath.'/'.$this->template->config_dir; } public function assign($key, $value, $sanitise = true) { @@ -63,12 +63,9 @@ $smarty->assign ('boolconf_alias_domain', boolconf('alias_domain')); $smarty->assign ('authentication_has_role', array ('global_admin' => authentication_has_role ('global-admin'), 'admin' => authentication_has_role ('admin'), 'user' => authentication_has_role ('user'))); -if (authentication_has_role('global-admin')) -{ +if (authentication_has_role('global-admin')) { $motd_file = "motd-admin.txt"; -} -else -{ +} else { $motd_file = "motd.txt"; } $smarty->assign('motd_file', ''); @@ -76,11 +73,9 @@ $smarty->assign ('motd_file', $motd_file); } -function select_options($aValues, $aSelected) -{ +function select_options($aValues, $aSelected) { $ret_val = ''; - foreach ($aValues as $val) - { + foreach ($aValues as $val) { $ret_val .= '<option value="'.$val.'"'; if (in_array ($val, $aSelected)) $ret_val .= ' selected="selected"'; @@ -88,8 +83,7 @@ } return $ret_val; } -function eval_size ($aSize) -{ +function eval_size ($aSize) { if ($aSize == 0) {$ret_val = $GLOBALS ['PALANG']['pOverview_unlimited']; } elseif ($aSize < 0) {$ret_val = $GLOBALS ['PALANG']['pOverview_disabled']; } else {$ret_val = $aSize; } This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <chr...@us...> - 2011-04-19 22:38:31
|
Revision: 1048 http://postfixadmin.svn.sourceforge.net/postfixadmin/?rev=1048&view=rev Author: christian_boltz Date: 2011-04-19 22:38:24 +0000 (Tue, 19 Apr 2011) Log Message: ----------- smarty.inc.php: - cleanup flash messages after displaying them This fixes https://sourceforge.net/tracker/?func=detail&aid=3232174&group_id=191583&atid=937964 reported by john doe (johndoe64@SF) Modified Paths: -------------- trunk/smarty.inc.php Modified: trunk/smarty.inc.php =================================================================== --- trunk/smarty.inc.php 2011-04-19 22:08:20 UTC (rev 1047) +++ trunk/smarty.inc.php 2011-04-19 22:38:24 UTC (rev 1048) @@ -28,6 +28,7 @@ public function display($template) { $this->template->display($template); + unset($_SESSION['flash']); # cleanup flash messages } /** * Recursive cleaning of data, using htmlentities - this assumes we only ever output to HTML and we're outputting in UTF-8 charset This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <chr...@us...> - 2011-07-19 22:22:29
|
Revision: 1097 http://postfixadmin.svn.sourceforge.net/postfixadmin/?rev=1097&view=rev Author: christian_boltz Date: 2011-07-19 22:22:23 +0000 (Tue, 19 Jul 2011) Log Message: ----------- smarty.inc.php: - prefix $CONF['theme_custom_css'] with $CONF['postfix_admin_url'] - difference to Dale's patch: only do this if $CONF[theme_custom_css] is not empty This commit is part of the huge cleanup patch by Dale Blount (lnxus@SF), https://sourceforge.net/tracker/?func=detail&atid=937966&aid=3370510&group_id=191583 Modified Paths: -------------- trunk/smarty.inc.php Modified: trunk/smarty.inc.php =================================================================== --- trunk/smarty.inc.php 2011-07-19 22:17:40 UTC (rev 1096) +++ trunk/smarty.inc.php 2011-07-19 22:22:23 UTC (rev 1097) @@ -53,6 +53,7 @@ $smarty = new PFASmarty(); $CONF['theme_css'] = $CONF['postfix_admin_url'].'/'.htmlentities($CONF['theme_css']); +if ($CONF['theme_custom_css'] != "") $CONF['theme_custom_css'] = $CONF['postfix_admin_url'].'/'.htmlentities($CONF['theme_custom_css']); $CONF['theme_logo'] = $CONF['postfix_admin_url'].'/'.htmlentities($CONF['theme_logo']); $smarty->assign ('CONF', $CONF); This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <chr...@us...> - 2011-09-24 16:35:48
|
Revision: 1189 http://postfixadmin.svn.sourceforge.net/postfixadmin/?rev=1189&view=rev Author: christian_boltz Date: 2011-09-24 16:35:42 +0000 (Sat, 24 Sep 2011) Log Message: ----------- smarty.inc.php - select_options(): - escape $val with htmlentities() (function result will/must be used unescaped later) Modified Paths: -------------- trunk/smarty.inc.php Modified: trunk/smarty.inc.php =================================================================== --- trunk/smarty.inc.php 2011-09-24 11:49:14 UTC (rev 1188) +++ trunk/smarty.inc.php 2011-09-24 16:35:42 UTC (rev 1189) @@ -69,10 +69,10 @@ function select_options($aValues, $aSelected) { $ret_val = ''; foreach ($aValues as $val) { - $ret_val .= '<option value="'.$val.'"'; + $ret_val .= '<option value="'.htmlentities($val).'"'; if (in_array ($val, $aSelected)) $ret_val .= ' selected="selected"'; - $ret_val .= '>'.$val.'</option>'; + $ret_val .= '>'.htmlentities($val).'</option>'; } return $ret_val; } This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <chr...@us...> - 2011-11-27 23:20:16
|
Revision: 1289 http://postfixadmin.svn.sourceforge.net/postfixadmin/?rev=1289&view=rev Author: christian_boltz Date: 2011-11-27 23:20:10 +0000 (Sun, 27 Nov 2011) Log Message: ----------- smarty.inc.php: some fixes after the Smarty upgrade: - use SmartyBC (Backwards Compatible) instead of Smarty class to keep {php} in templates working (do we really need this?) - remove obsolete allow_php_tag - config_dir default value is now an array Modified Paths: -------------- trunk/smarty.inc.php Modified: trunk/smarty.inc.php =================================================================== --- trunk/smarty.inc.php 2011-11-27 23:12:52 UTC (rev 1288) +++ trunk/smarty.inc.php 2011-11-27 23:20:10 UTC (rev 1289) @@ -1,5 +1,7 @@ <?php -require_once ("$incpath/smarty/libs/Smarty.class.php"); +#require_once ("$incpath/smarty/libs/Smarty.class.php"); +# We have to use the SmartyBC ("Backwards Compatible") class because some templates use {php}. (TODO: do we really need {php}?) +require_once ("$incpath/smarty/libs/SmartyBC.class.php"); /** * Turn on sanitisation of all data by default so it's not possible for XSS flaws to occur in PFA @@ -7,14 +9,13 @@ class PFASmarty { protected $template = null; public function __construct() { - $this->template = new Smarty(); + $this->template = new SmartyBC(); //$this->template->debugging = true; $incpath = dirname(__FILE__); $this->template->template_dir = $incpath.'/templates'; $this->template->compile_dir = $incpath.'/templates_c'; - $this->template->config_dir = $incpath.'/'.$this->template->config_dir; - $this->template->allow_php_tag = true; + $this->template->config_dir = $incpath.'/'.$this->template->config_dir[0]; } public function assign($key, $value, $sanitise = true) { This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |