安全 · smarty3中文手冊

<table width="100%" border="0" cellpadding="0" cellspacing="0"><tr><th colspan="3" align="center">Smarty - the compiling PHP template engine</th></tr><tr><td width="25%" align="left" valign="bottom"><a href="advanced.features.html">Prev</a></td><td width="50%" align="center" valign="bottom">Chapter 15. Advanced Features 高級特性</td><td width="25%" align="right" valign="bottom"><a href="advanced.features.changing.settings.by.tem.html">Next</a></td></tr></table> # [Security]()[安全] Security Security is good for situations when you have untrusted parties editing the templates eg via ftp, and you want to reduce the risk of system security compromises through the template language. The settings of the security policy are defined by properties of an instance of the Smarty_Security class.These are the possible settings: $php_handling determines how Smarty to handle PHP code embedded in templates. Possible values are: 1.Smarty::PHP_PASSTHRU -> echo PHP tags as they are 2.Smarty::PHP_QUOTE -> escape tags as entities 3.Smarty::PHP_REMOVE -> remove php tags 4.Smarty::PHP_ALLOW -> execute php tags The default value is Smarty::PHP_PASSTHRU. If security is enabled the $php_handling setting of the Smarty object is not checked for security. $secure_dir is an array of template directories that are considered secure. $template_dir concidered secure implicitly. The default is an empty array. $trusted_dir is an array of all directories that are considered trusted. Trusted directories are where you keep php scripts that are executed directly from the templates with {include_php}. The default is an empty array. $static_classes is an array of classes that are considered trusted. The default is an empty array which allows access to all static classes. To disable access to all static classes set $static_classes = null. $php_functions is an array of PHP functions that are considered trusted and can be used from within template. To disable access to all PHP functions set $php_functions = null. An empty array ( $php_functions = array() ) will allow all PHP functions. The default is array('isset', 'empty', 'count','sizeof', 'in_array', 'is_array','time','nl2br'). $php_modifiers is an array of PHP functions that are considered trusted and can be used from within template as modifier. To disable access to all PHP modifier set $php_modifier = null. An empty array ( $php_modifier = array() ) will allow all PHP functions. The default is array('escape','count'). $streams is an array of streams that are considered trusted and can be used from within template. To disable access to all streams set $streams = null. An empty array ( $streams = array() ) will allow all streams. The default is array('file'). $allow_constants is a boolean flag which controls if constants can be accessed by the template. The default is "true". $allow_super_globals is a boolean flag which controls if the PHP super globals can be accessed by the template. The default is "true". $allow_php_tag is a boolean flag which controls if {php} and {include_php} tags can be used by the template. The default is "false". If security is enabled, no private methods, functions or properties of static classes or assigned objects can be accessed (beginning with '_') by the template. To customize the security policy settings you can extend the Smarty_Security class or create an instance of it. 使用Security安全策略適用于當你不信任團隊開發的模板，諸如通過ftp編輯的模板等等的情況，而且它還是一種減少模板語言帶來的系統安全風險的折中方案。安全策略的設置由Smarty_Security類的實例屬性定義。其參數如下： $php_handling決定怎樣處理嵌入到模板的php代碼，可能值如下： 1、Smarty::PHP_PASSTHRU ->原樣輸出php標簽； 2、Smarty::PHP_QUOTE ->將標簽轉義為實體； 3、Smarty::PHP_REMOVE ->刪除php標簽； 4、Smarty::PHP_ALLOW ->執行php標簽。默認為Smarty::PHP_PASSTHRU。如果開啟了security安全，則安全不再檢查Smarty對象的[$php_handling](#)設置。 $secure_dir為一數組，里面包含被認為是安全的目錄。相應地，[$template_dir](#)也暗中被認為是安全的。默認該數組為空。 $trusted_dir為一數組，里面包含所有被認為可信任的目錄。在此目錄里，你可以在模板中使用[{include_php}](#)直接執行php腳本。默認為一個空數組。 $static_classes是一個被認為是可信任的類數組。默認為一個允許訪問所有靜態類的空數組。如果禁止訪問所有靜態類，可這樣設置：$static_classes = null。 $php_functions是一個數組，里面包含被認為可信的php函數，而且該數組可用于模板內部。禁止訪問所有php函數的設置為$php_functions = null。一個空數組( $php_functions = array() ) 則表示允許訪問所有php函數。默認為array('isset', 'empty', 'count','sizeof', 'in_array', 'is_array','time','nl2br')。 $php_modifiers為一數組，里面包含被認為可信的php函數，其可作為調節器用于模板內部。禁止訪問所有php調節器的設置為$php_modifiers = null。一個空數組( $php_modifier = array() ) 則表示允許訪問所有php函數。默認為array('escape','count')。 $streams為一數組，里面包含可信任的php數據流，可用于模板內部。禁止訪問所有數據流的設置為$streams = null。一個空數組( $streams = array() ) 則表示允許訪問所有數據流。默認為array('file')。 $allow_constants是一個布爾型標記，其控制模板是否可訪問php超級全局變量。默認為“true”。 $allow_php_tag是一個布爾型標記，其控制模板是否可使用[{php}](#)和{include_php}標記。默認為“false”。如果開啟安全策略，模板則不可訪問靜態類屬性或賦值對象的私有方法、函數、屬性（以‘_’開頭的）。可以繼承Smarty_Security類或創建該類實例定制自己的安全策略設置。 <table width="100%" border="0" cellpadding="0" cellspacing="0" class="EXAMPLE"><tr><td> <div class="EXAMPLE"> <strong><a name="AEN4151" id="AEN4151"> </a>Example 15.1. Setting security policy by extending the Smarty_Security class<br/> 例15-1.通過繼承</strong><strong>Smarty_Security類設置安全策略</strong> <table border="0" bgcolor="#E0E0E0" width="100%"><tr><td><?php<br/> require 'Smarty.class.php';<br/> class My_Security_Policy extends Smarty_Security {<br/> // disable all PHP functions 禁止所有php函數<br/> public $php_functions = null;<br/> // remove PHP tags 刪除php標簽<br/> public $php_handling = Smarty::PHP_REMOVE;<br/> // allow everthing as modifier 允許一切調節器函數<br/> public $modifiers = array();<br/> }<br/> $smarty = new Smarty;<br/> // enable security 開啟安全<br/> $smarty->enableSecurity('My_Security_Policy');<br/> ?></td></tr></table><p><strong><a name="AEN4152" id="AEN4152"> </a>Example 15.2. Setting security policy by instance of the Smarty_Security class<br/>例15-2.通過</strong><strong>Smarty_Security實例設置安全策略</strong></p> <table border="0" bgcolor="#E0E0E0" width="100%"><tr><td><?php<br/> require 'Smarty.class.php';<br/> $smarty = new Smarty;<br/> $my_security_policy = new Smarty_Security;<br/> // disable all PHP functions<br/> $my_security_policy->php_functions = null;<br/> // remove PHP tags<br/> $my_security_policy->php_handling = Smarty::PHP_REMOVE;<br/> // allow everthing as modifier<br/> $my_security_policy->$modifiers = array();<br/> // enable security<br/> $smarty->enableSecurity($my_security_policy);<br/> ?></td> </tr></table><p><strong><a name="AEN4153" id="AEN4153"> </a>Example 15.3. Enable security with the default settings<br/>例15-3.默認設置開啟</strong><strong>安全策略</strong></p> <table border="0" bgcolor="#E0E0E0" width="100%"><tr><td><?php<br/> require 'Smarty.class.php';<br/> $smarty = new Smarty;<br/> // enable default security<br/> $smarty->enableSecurity();<br/> ?></td> </tr></table><table width="80%" border="0" cellpadding="2" cellspacing="2" class="note"><caption> 提示 </caption> <tr><td>Note<br/> Must security policy settings are only checked when the template gets compiled. For that reasion you should delete all cached and compiled template files when you change your security settings.<br/> 大部份安全策略設置只在模板被編譯時檢查。因此，當你需要更改安全設置時請先刪除所有緩存和編譯模板文件。</td> </tr></table></div></td></tr></table> <table width="100%" border="0" cellpadding="0" cellspacing="0"><tr><td width="33%" align="left" valign="top"><a href="advanced.features.html">Prev</a></td><td width="34%" align="center" valign="top"><a href="index.html">Home</a></td><td width="33%" align="right" valign="top"><a href="advanced.features.changing.settings.by.tem.html">Next</a></td></tr><tr><td width="33%" align="left" valign="top">Advanced Features<br/> 高級特性</td><td width="34%" align="center" valign="top"><a href="smarty.for.programmers.html">Up</a></td><td width="33%" align="right" valign="top">Changing settings by template<br/> 通過模板更改設置</td></tr></table>