1 : <?php
2 :
3 : /**
4 : * represents the security settings of a dwoo instance, it can be passed around to different dwoo instances
5 : *
6 : * This software is provided 'as-is', without any express or implied warranty.
7 : * In no event will the authors be held liable for any damages arising from the use of this software.
8 : *
9 : * @author Jordi Boggiano <j.boggiano@seld.be>
10 : * @copyright Copyright (c) 2008, Jordi Boggiano
11 : * @license http://dwoo.org/LICENSE Modified BSD License
12 : * @link http://dwoo.org/
13 : * @version 1.0.0
14 : * @date 2008-10-23
15 : * @package Dwoo
16 : */
17 : class Dwoo_Security_Policy
18 : {
19 : /**#@+
20 : * php handling constants, defaults to PHP_REMOVE
21 : *
22 : * PHP_REMOVE : remove all <?php ?> (+ short tags if your short tags option is on) from the input template
23 : * PHP_ALLOW : leave them as they are
24 : * PHP_ENCODE : run htmlentities over them
25 : *
26 : * @var int
27 : */
28 : const PHP_ENCODE = 1;
29 : const PHP_REMOVE = 2;
30 : const PHP_ALLOW = 3;
31 : /**#@-*/
32 :
33 : /**#@+
34 : * constant handling constants, defaults to CONST_DISALLOW
35 : *
36 : * CONST_DISALLOW : throw an error if {$dwoo.const.*} is used in the template
37 : * CONST_ALLOW : allow {$dwoo.const.*} calls
38 : */
39 : const CONST_DISALLOW = false;
40 : const CONST_ALLOW = true;
41 : /**#@-*/
42 :
43 : /**
44 : * php functions that are allowed to be used within the template
45 : *
46 : * @var array
47 : */
48 : protected $allowedPhpFunctions = array
49 : (
50 : 'str_repeat', 'number_format', 'htmlentities', 'htmlspecialchars',
51 : 'long2ip', 'strlen', 'list', 'empty', 'count', 'sizeof', 'in_array', 'is_array',
52 : );
53 :
54 : /**
55 : * paths that are safe to use with include or other file-access plugins
56 : *
57 : * @var array
58 : */
59 : protected $allowedDirectories = array();
60 :
61 : /**
62 : * stores the php handling level
63 : *
64 : * defaults to Dwoo_Security_Policy::PHP_REMOVE
65 : *
66 : * @var int
67 : */
68 : protected $phpHandling = self::PHP_REMOVE;
69 :
70 : /**
71 : * stores the constant handling level
72 : *
73 : * defaults to Dwoo_Security_Policy::CONST_DISALLOW
74 : *
75 : * @var bool
76 : */
77 : protected $constHandling = self::CONST_DISALLOW;
78 :
79 : /**
80 : * adds a php function to the allowed list
81 : *
82 : * @param mixed $func function name or array of function names
83 : */
84 : public function allowPhpFunction($func)
85 : {
86 2 : if (is_array($func))
87 2 : foreach ($func as $fname)
88 1 : $this->allowedPhpFunctions[strtolower($fname)] = true;
89 : else
90 2 : $this->allowedPhpFunctions[strtolower($func)] = true;
91 2 : }
92 :
93 : /**
94 : * removes a php function from the allowed list
95 : *
96 : * @param mixed $func function name or array of function names
97 : */
98 : public function disallowPhpFunction($func)
99 : {
100 1 : if (is_array($func))
101 1 : foreach ($func as $fname)
102 1 : unset($this->allowedPhpFunctions[strtolower($fname)]);
103 : else
104 1 : unset($this->allowedPhpFunctions[strtolower($func)]);
105 1 : }
106 :
107 : /**
108 : * returns the list of php functions allowed to run, note that the function names
109 : * are stored in the array keys and not values
110 : *
111 : * @return array
112 : */
113 : public function getAllowedPhpFunctions()
114 : {
115 4 : return $this->allowedPhpFunctions;
116 : }
117 :
118 : /**
119 : * adds a directory to the safelist for includes and other file-access plugins
120 : *
121 : * note that all the includePath directories you provide to the Dwoo_Template_File class
122 : * are automatically marked as safe
123 : *
124 : * @param mixed $path a path name or an array of paths
125 : */
126 : public function allowDirectory($path)
127 : {
128 1 : if (is_array($path))
129 1 : foreach ($path as $dir)
130 1 : $this->allowedDirectories[realpath($dir)] = true;
131 : else
132 1 : $this->allowedDirectories[realpath($path)] = true;
133 1 : }
134 :
135 : /**
136 : * removes a directory from the safelist
137 : *
138 : * @param mixed $path a path name or an array of paths
139 : */
140 : public function disallowDirectory($path)
141 : {
142 1 : if (is_array($path))
143 1 : foreach ($path as $dir)
144 1 : unset($this->allowedDirectories[realpath($dir)]);
145 : else
146 1 : unset($this->allowedDirectories[realpath($path)]);
147 1 : }
148 :
149 : /**
150 : * returns the list of safe paths, note that the paths are stored in the array
151 : * keys and not values
152 : *
153 : * @return array
154 : */
155 : public function getAllowedDirectories()
156 : {
157 1 : return $this->allowedDirectories;
158 : }
159 :
160 : /**
161 : * sets the php handling level, defaults to REMOVE
162 : *
163 : * @param int $level one of the Dwoo_Security_Policy::PHP_* constants
164 : */
165 : public function setPhpHandling($level = self::PHP_REMOVE)
166 : {
167 1 : $this->phpHandling = $level;
168 1 : }
169 :
170 : /**
171 : * returns the php handling level
172 : *
173 : * @return int the current level, one of the Dwoo_Security_Policy::PHP_* constants
174 : */
175 : public function getPhpHandling()
176 : {
177 3 : return $this->phpHandling;
178 : }
179 :
180 : /**
181 : * sets the constant handling level, defaults to CONST_DISALLOW
182 : *
183 : * @param bool $level one of the Dwoo_Security_Policy::CONST_* constants
184 : */
185 : public function setConstantHandling($level = self::CONST_DISALLOW)
186 : {
187 2 : $this->constHandling = $level;
188 2 : }
189 :
190 : /**
191 : * returns the constant handling level
192 : *
193 : * @return bool the current level, one of the Dwoo_Security_Policy::CONST_* constants
194 : */
195 : public function getConstantHandling()
196 : {
197 2 : return $this->constHandling;
198 : }
199 : }
|
