What steps will reproduce the problem?
1. Use Smarty's enableSecurity with a raw Smarty_Security instance
2. Use a html_image tag in template with an absolute uri, e.g.
{html_image file="/foo/bar.jpg"}
What is the expected output? What do you see instead?
html_image should show the image, passing the internal checks for trusthip of
the path/file
What version of the product are you using? On what operating system?
3.1.18
Please provide any additional information below.
As far as I can see, in
function smarty_function_html_image($params, $template)
PHP's realpath() gets used, but this fails if the parameter to html_image is
considered to be an uri (and not a file), therefore the test with
isTrustedResourceDir() fails.
I think my patch attached should solve it.
Original issue reported on code.google.com by manuel.s...@manitu.de on 22 Apr 2014 at 11:34
Original issue reported on code.google.com by
manuel.s...@manitu.de
on 22 Apr 2014 at 11:34Attachments: