安全 · smarty3中文手册

<table width="100%" border="0" cellpadding="0" cellspacing="0"><tr><th colspan="3" align="center">Smarty - the compiling PHP template engine</th></tr><tr><td width="25%" align="left" valign="bottom"><a href="advanced.features.html">Prev</a></td><td width="50%" align="center" valign="bottom">Chapter 15. Advanced Features 高级特性</td><td width="25%" align="right" valign="bottom"><a href="advanced.features.changing.settings.by.tem.html">Next</a></td></tr></table> # [Security]()[安全] Security Security is good for situations when you have untrusted parties editing the templates eg via ftp, and you want to reduce the risk of system security compromises through the template language. The settings of the security policy are defined by properties of an instance of the Smarty_Security class.These are the possible settings: $php_handling determines how Smarty to handle PHP code embedded in templates. Possible values are: 1.Smarty::PHP_PASSTHRU -> echo PHP tags as they are 2.Smarty::PHP_QUOTE -> escape tags as entities 3.Smarty::PHP_REMOVE -> remove php tags 4.Smarty::PHP_ALLOW -> execute php tags The default value is Smarty::PHP_PASSTHRU. If security is enabled the $php_handling setting of the Smarty object is not checked for security. $secure_dir is an array of template directories that are considered secure. $template_dir concidered secure implicitly. The default is an empty array. $trusted_dir is an array of all directories that are considered trusted. Trusted directories are where you keep php scripts that are executed directly from the templates with {include_php}. The default is an empty array. $static_classes is an array of classes that are considered trusted. The default is an empty array which allows access to all static classes. To disable access to all static classes set $static_classes = null. $php_functions is an array of PHP functions that are considered trusted and can be used from within template. To disable access to all PHP functions set $php_functions = null. An empty array ( $php_functions = array() ) will allow all PHP functions. The default is array('isset', 'empty', 'count','sizeof', 'in_array', 'is_array','time','nl2br'). $php_modifiers is an array of PHP functions that are considered trusted and can be used from within template as modifier. To disable access to all PHP modifier set $php_modifier = null. An empty array ( $php_modifier = array() ) will allow all PHP functions. The default is array('escape','count'). $streams is an array of streams that are considered trusted and can be used from within template. To disable access to all streams set $streams = null. An empty array ( $streams = array() ) will allow all streams. The default is array('file'). $allow_constants is a boolean flag which controls if constants can be accessed by the template. The default is "true". $allow_super_globals is a boolean flag which controls if the PHP super globals can be accessed by the template. The default is "true". $allow_php_tag is a boolean flag which controls if {php} and {include_php} tags can be used by the template. The default is "false". If security is enabled, no private methods, functions or properties of static classes or assigned objects can be accessed (beginning with '_') by the template. To customize the security policy settings you can extend the Smarty_Security class or create an instance of it. 使用Security安全策略适用于当你不信任团队开发的模板，诸如通过ftp编辑的模板等等的情况，而且它还是一种减少模板语言带来的系统安全风险的折中方案。安全策略的设置由Smarty_Security类的实例属性定义。其参数如下： $php_handling决定怎样处理嵌入到模板的php代码，可能值如下： 1、Smarty::PHP_PASSTHRU ->原样输出php标签； 2、Smarty::PHP_QUOTE ->将标签转义为实体； 3、Smarty::PHP_REMOVE ->删除php标签； 4、Smarty::PHP_ALLOW ->执行php标签。默认为Smarty::PHP_PASSTHRU。如果开启了security安全，则安全不再检查Smarty对象的[$php_handling](#)设置。 $secure_dir为一数组，里面包含被认为是安全的目录。相应地，[$template_dir](#)也暗中被认为是安全的。默认该数组为空。 $trusted_dir为一数组，里面包含所有被认为可信任的目录。在此目录里，你可以在模板中使用[{include_php}](#)直接执行php脚本。默认为一个空数组。 $static_classes是一个被认为是可信任的类数组。默认为一个允许访问所有静态类的空数组。如果禁止访问所有静态类，可这样设置：$static_classes = null。 $php_functions是一个数组，里面包含被认为可信的php函数，而且该数组可用于模板内部。禁止访问所有php函数的设置为$php_functions = null。一个空数组( $php_functions = array() ) 则表示允许访问所有php函数。默认为array('isset', 'empty', 'count','sizeof', 'in_array', 'is_array','time','nl2br')。 $php_modifiers为一数组，里面包含被认为可信的php函数，其可作为调节器用于模板内部。禁止访问所有php调节器的设置为$php_modifiers = null。一个空数组( $php_modifier = array() ) 则表示允许访问所有php函数。默认为array('escape','count')。 $streams为一数组，里面包含可信任的php数据流，可用于模板内部。禁止访问所有数据流的设置为$streams = null。一个空数组( $streams = array() ) 则表示允许访问所有数据流。默认为array('file')。 $allow_constants是一个布尔型标记，其控制模板是否可访问php超级全局变量。默认为“true”。 $allow_php_tag是一个布尔型标记，其控制模板是否可使用[{php}](#)和{include_php}标记。默认为“false”。如果开启安全策略，模板则不可访问静态类属性或赋值对象的私有方法、函数、属性（以‘_’开头的）。可以继承Smarty_Security类或创建该类实例定制自己的安全策略设置。 <table width="100%" border="0" cellpadding="0" cellspacing="0" class="EXAMPLE"><tr><td> <div class="EXAMPLE"> <strong><a name="AEN4151" id="AEN4151"> </a>Example 15.1. Setting security policy by extending the Smarty_Security class<br/> 例15-1.通过继承</strong><strong>Smarty_Security类设置安全策略</strong> <table border="0" bgcolor="#E0E0E0" width="100%"><tr><td><?php<br/> require 'Smarty.class.php';<br/> class My_Security_Policy extends Smarty_Security {<br/> // disable all PHP functions 禁止所有php函数<br/> public $php_functions = null;<br/> // remove PHP tags 删除php标签<br/> public $php_handling = Smarty::PHP_REMOVE;<br/> // allow everthing as modifier 允许一切调节器函数<br/> public $modifiers = array();<br/> }<br/> $smarty = new Smarty;<br/> // enable security 开启安全<br/> $smarty->enableSecurity('My_Security_Policy');<br/> ?></td></tr></table><p><strong><a name="AEN4152" id="AEN4152"> </a>Example 15.2. Setting security policy by instance of the Smarty_Security class<br/>例15-2.通过</strong><strong>Smarty_Security实例设置安全策略</strong></p> <table border="0" bgcolor="#E0E0E0" width="100%"><tr><td><?php<br/> require 'Smarty.class.php';<br/> $smarty = new Smarty;<br/> $my_security_policy = new Smarty_Security;<br/> // disable all PHP functions<br/> $my_security_policy->php_functions = null;<br/> // remove PHP tags<br/> $my_security_policy->php_handling = Smarty::PHP_REMOVE;<br/> // allow everthing as modifier<br/> $my_security_policy->$modifiers = array();<br/> // enable security<br/> $smarty->enableSecurity($my_security_policy);<br/> ?></td> </tr></table><p><strong><a name="AEN4153" id="AEN4153"> </a>Example 15.3. Enable security with the default settings<br/>例15-3.默认设置开启</strong><strong>安全策略</strong></p> <table border="0" bgcolor="#E0E0E0" width="100%"><tr><td><?php<br/> require 'Smarty.class.php';<br/> $smarty = new Smarty;<br/> // enable default security<br/> $smarty->enableSecurity();<br/> ?></td> </tr></table><table width="80%" border="0" cellpadding="2" cellspacing="2" class="note"><caption> 提示 </caption> <tr><td>Note<br/> Must security policy settings are only checked when the template gets compiled. For that reasion you should delete all cached and compiled template files when you change your security settings.<br/> 大部份安全策略设置只在模板被编译时检查。因此，当你需要更改安全设置时请先删除所有缓存和编译模板文件。</td> </tr></table></div></td></tr></table> <table width="100%" border="0" cellpadding="0" cellspacing="0"><tr><td width="33%" align="left" valign="top"><a href="advanced.features.html">Prev</a></td><td width="34%" align="center" valign="top"><a href="index.html">Home</a></td><td width="33%" align="right" valign="top"><a href="advanced.features.changing.settings.by.tem.html">Next</a></td></tr><tr><td width="33%" align="left" valign="top">Advanced Features<br/> 高级特性</td><td width="34%" align="center" valign="top"><a href="smarty.for.programmers.html">Up</a></td><td width="33%" align="right" valign="top">Changing settings by template<br/> 通过模板更改设置</td></tr></table>