Mirrors
/
postfixadmin
mirror of https://github.com/postfixadmin/postfixadmin.git
3
0
Fork 0
Code Releases Activity
PostfixAdmin - web based virtual user administration interface for Postfix mail servers https://postfixadmin.github.io/postfixadmin/
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2676 Commits
11 Branches
66 Tags
24 MiB
Tree: postfixadm
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'postfixadm'
${ noResults }
postfixadmin/model/PFASmarty.php

149 lines
5.4 KiB
Raw Permalink Normal View History

allow the template to be destroyed
6 years ago
rejig smarty
6 years ago
allow the template to be destroyed
6 years ago
rejig smarty
6 years ago
allow the template to be destroyed
6 years ago
rejig smarty
6 years ago
allow the template to be destroyed
6 years ago
rejig smarty
6 years ago
allow the template to be destroyed
6 years ago
rejig smarty
6 years ago
allow the template to be destroyed
6 years ago
rejig smarty
6 years ago
allow the template to be destroyed
6 years ago
rejig smarty
6 years ago
allow the template to be destroyed
6 years ago
rejig smarty
6 years ago
allow the template to be destroyed
6 years ago
rejig smarty
6 years ago
allow the template to be destroyed
6 years ago
fix: "PHP Deprecated: Using unregistered function "htmlentities" in a template..." from Smarty, see https://github.com/postfixadmin/postfixadmin/issues/872
1 year ago
rejig smarty
6 years ago
allow the template to be destroyed
6 years ago
see: //github.com/postfixadmin/postfixadmin/issues/410 - ignore theme_css if it points to css/default.css; drop css/default.css
5 years ago
allow the template to be destroyed
6 years ago
see #429 - check for some CONF keys before trying to use them
5 years ago
allow the template to be destroyed
6 years ago
fix bootstrap theme for users/ urls; make some other links use https.
5 years ago
allow the template to be destroyed
6 years ago
composer format
5 years ago
rejig smarty
6 years ago
allow the template to be destroyed
6 years ago
rejig smarty
6 years ago
allow the template to be destroyed
6 years ago
rejig smarty
6 years ago
allow the template to be destroyed
6 years ago
stop php8.1 moaning about a null value going into htmlentities - see https://github.com/postfixadmin/postfixadmin/issues/632
4 years ago
do not worry about escaping an object
5 years ago
allow the template to be destroyed
6 years ago
stop php8.1 moaning about a null value going into htmlentities - see https://github.com/postfixadmin/postfixadmin/issues/632
4 years ago
allow the template to be destroyed
6 years ago
  1. <?php
  3. /**
  4. * Turn on sanitisation of all data by default so it's not possible for XSS flaws to occur in PFA
  5. */
  6. class PFASmarty {
  7. public static $instance = null;
  8. /**
  9. * @var Smarty
  10. */
  11. protected $template;
  13. public static function getInstance() {
  14. if (self::$instance) {
  15. return self::$instance;
  16. }
  18. self::$instance = new PFASmarty();
  19. return self::$instance;
  20. }
  23. private function __construct() {
  24. $CONF = Config::getInstance()->getAll();
  26. $theme = '';
  27. if (isset($CONF['theme']) && is_dir(dirname(__FILE__) . "/../templates/" . $CONF['theme'])) {
  28. $theme = $CONF['theme'];
  29. }
  31. $this->template = new Smarty();
  34. $template_dir = __DIR__ . '/../templates/' . $theme;
  36. if (!is_dir($template_dir)) {
  37. $template_dir = __DIR__ . '/../templates/';
  38. }
  40. $this->template->setTemplateDir($template_dir);
  42. // if it's not present or writeable, smarty should just not cache.
  43. $templates_c = dirname(__FILE__) . '/../templates_c';
  44. if (is_dir($templates_c) && is_writeable($templates_c)) {
  45. $this->template->setCompileDir($templates_c);
  46. } else {
  47. # unfortunately there's no sane way to just disable compiling of templates
  48. clearstatcache(); // just incase someone just fixed it; on their next refresh it should work.
  49. error_log("ERROR: directory $templates_c doesn't exist or isn't writeable for the webserver");
  50. die("ERROR: the templates_c directory doesn't exist or isn't writeable for the webserver");
  51. }
  53. $this->template->registerPlugin('function', 'htmlentities', 'htmlentities');
  55. $this->configureTheme('');// default to something.
  56. }
  58. /**
  59. * @param string $rel_path - relative path for referenced css etc dependencies - e.g. users/edit.php needs '../' else, it's ''.
  60. */
  61. public function configureTheme(string $rel_path = '') {
  62. $CONF = Config::getInstance()->getAll();
  64. // see: https://github.com/postfixadmin/postfixadmin/issues/410
  65. // ignore $CONF['theme_css'] if it points to css/default.css and we have css/bootstrap.css.
  66. if ($CONF['theme_css'] == 'css/default.css' && is_file(__DIR__ . '/../public/css/bootstrap.css')) {
  67. // silently upgrade to bootstrap, css/default.css does not exist.
  68. $CONF['theme_css'] = 'css/bootstrap.css';
  69. }
  71. $CONF['theme_css'] = $rel_path . htmlentities($CONF['theme_css']);
  72. if (!empty($CONF['theme_custom_css'])) {
  73. $CONF['theme_custom_css'] = $rel_path . htmlentities($CONF['theme_custom_css']);
  74. }
  75. if (array_key_exists('theme_favicon', $CONF)) {
  76. $CONF['theme_favicon'] = $rel_path . htmlentities($CONF['theme_favicon']);
  77. }
  79. $CONF['theme_logo'] = $rel_path . htmlentities($CONF['theme_logo']);
  81. $this->assign('rel_path', $rel_path);
  82. $this->assign('CONF', $CONF);
  83. }
  86. /**
  87. * @param string $key
  88. * @param mixed $value
  89. * @param bool $sanitise
  90. */
  91. public function assign($key, $value, $sanitise = true) {
  92. $this->template->assign("RAW_$key", $value);
  93. if ($sanitise == false) {
  94. return $this->template->assign($key, $value);
  95. }
  96. $clean = $this->sanitise($value);
  97. /* we won't run the key through sanitise() here... some might argue we should */
  98. return $this->template->assign($key, $clean);
  99. }
  101. /**
  102. * @param string $template
  103. * @return void
  104. */
  105. public function display($template) {
  106. $CONF = Config::getInstance()->getAll();
  108. $this->assign('PALANG', $CONF['__LANG'] ?? []);
  109. $this->assign('url_domain', '');
  110. $this->assign('version', $CONF['version'] ?? 'unknown');
  111. $this->assign('boolconf_alias_domain', Config::bool('alias_domain'));
  112. $this->assign('authentication_has_role', array('global_admin' => authentication_has_role('global-admin'), 'admin' => authentication_has_role('admin'), 'user' => authentication_has_role('user')));
  114. header("Expires: Sun, 16 Mar 2003 05:00:00 GMT");
  115. header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
  116. header("Cache-Control: no-store, no-cache, must-revalidate");
  117. header("Cache-Control: post-check=0, pre-check=0", false);
  118. header("Pragma: no-cache");
  119. header("Content-Type: text/html; charset=UTF-8");
  121. $this->template->setConfigDir(__DIR__ . '/../configs');
  122. $this->template->display($template);
  124. unset($_SESSION['flash']); # cleanup flash messages
  125. }
  127. /**
  128. * Recursive cleaning of data, using htmlentities - this assumes we only ever output to HTML and we're outputting in UTF-8 charset
  129. *
  130. * @param mixed $data - array or primitive type; objects not supported.
  131. * @return mixed $data
  132. * */
  133. public function sanitise($data) {
  134. if (is_object($data) || is_null($data)) {
  135. return $data; // can't handle
  136. }
  138. if (!is_array($data)) {
  139. return htmlentities($data, ENT_QUOTES, 'UTF-8', false);
  140. }
  142. $clean = array();
  143. foreach ($data as $key => $value) {
  144. /* as this is a nested data structure it's more likely we'll output the key too (at least in my opinion, so we'll sanitise it too */
  145. $clean[$this->sanitise($key)] = $this->sanitise($value);
  146. }
  147. return $clean;
  148. }
  149. }