import v1.1.0_beta1 | 2009-08-21
This commit is contained in:
@ -113,6 +113,12 @@ abstract class Zend_View_Abstract implements Zend_View_Interface
|
||||
*/
|
||||
private $_encoding = 'ISO-8859-1';
|
||||
|
||||
/**
|
||||
* Flag indicating whether or not LFI protection for rendering view scripts is enabled
|
||||
* @var bool
|
||||
*/
|
||||
private $_lfiProtectionOn = true;
|
||||
|
||||
/**
|
||||
* Plugin loaders
|
||||
* @var array
|
||||
@ -173,20 +179,32 @@ abstract class Zend_View_Abstract implements Zend_View_Interface
|
||||
|
||||
// user-defined helper path
|
||||
if (array_key_exists('helperPath', $config)) {
|
||||
$prefix = 'Zend_View_Helper';
|
||||
if (array_key_exists('helperPathPrefix', $config)) {
|
||||
$prefix = $config['helperPathPrefix'];
|
||||
if (is_array($config['helperPath'])) {
|
||||
foreach ($config['helperPath'] as $prefix => $path) {
|
||||
$this->addHelperPath($path, $prefix);
|
||||
}
|
||||
} else {
|
||||
$prefix = 'Zend_View_Helper';
|
||||
if (array_key_exists('helperPathPrefix', $config)) {
|
||||
$prefix = $config['helperPathPrefix'];
|
||||
}
|
||||
$this->addHelperPath($config['helperPath'], $prefix);
|
||||
}
|
||||
$this->addHelperPath($config['helperPath'], $prefix);
|
||||
}
|
||||
|
||||
// user-defined filter path
|
||||
if (array_key_exists('filterPath', $config)) {
|
||||
$prefix = 'Zend_View_Filter';
|
||||
if (array_key_exists('filterPathPrefix', $config)) {
|
||||
$prefix = $config['filterPathPrefix'];
|
||||
if (is_array($config['filterPath'])) {
|
||||
foreach ($config['filterPath'] as $prefix => $path) {
|
||||
$this->addFilterPath($path, $prefix);
|
||||
}
|
||||
} else {
|
||||
$prefix = 'Zend_View_Filter';
|
||||
if (array_key_exists('filterPathPrefix', $config)) {
|
||||
$prefix = $config['filterPathPrefix'];
|
||||
}
|
||||
$this->addFilterPath($config['filterPath'], $prefix);
|
||||
}
|
||||
$this->addFilterPath($config['filterPath'], $prefix);
|
||||
}
|
||||
|
||||
// user-defined filters
|
||||
@ -199,6 +217,11 @@ abstract class Zend_View_Abstract implements Zend_View_Interface
|
||||
$this->strictVars($config['strictVars']);
|
||||
}
|
||||
|
||||
// LFI protection flag
|
||||
if (array_key_exists('lfiProtectionOn', $config)) {
|
||||
$this->setLfiProtection($config['lfiProtectionOn']);
|
||||
}
|
||||
|
||||
$this->init();
|
||||
}
|
||||
|
||||
@ -684,6 +707,28 @@ abstract class Zend_View_Abstract implements Zend_View_Interface
|
||||
return $this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set LFI protection flag
|
||||
*
|
||||
* @param bool $flag
|
||||
* @return Zend_View_Abstract
|
||||
*/
|
||||
public function setLfiProtection($flag)
|
||||
{
|
||||
$this->_lfiProtectionOn = (bool) $flag;
|
||||
return $this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return status of LFI protection flag
|
||||
*
|
||||
* @return bool
|
||||
*/
|
||||
public function isLfiProtectionOn()
|
||||
{
|
||||
return $this->_lfiProtectionOn;
|
||||
}
|
||||
|
||||
/**
|
||||
* Assigns variables to the view script via differing strategies.
|
||||
*
|
||||
@ -856,6 +901,11 @@ abstract class Zend_View_Abstract implements Zend_View_Interface
|
||||
*/
|
||||
protected function _script($name)
|
||||
{
|
||||
if ($this->isLfiProtectionOn() && preg_match('#\.\.[\\\/]#', $name)) {
|
||||
require_once 'Zend/View/Exception.php';
|
||||
throw new Zend_View_Exception('Requested scripts may not include parent directory traversal ("../", "..\\" notation)');
|
||||
}
|
||||
|
||||
if (0 == count($this->_path['script'])) {
|
||||
require_once 'Zend/View/Exception.php';
|
||||
throw new Zend_View_Exception('no view script directory set; unable to determine location for view script',
|
||||
|
||||
Reference in New Issue
Block a user