html_image and Smarty_Security bug while checking directory trustship

[GoogleCodeExporter]

What steps will reproduce the problem?

1. Use Smarty's enableSecurity with a raw Smarty_Security instance
2. Use a html_image tag in template with an absolute uri, e.g.

    {html_image file="/foo/bar.jpg"}

What is the expected output? What do you see instead?

html_image should show the image, passing the internal checks for trusthip of 
the path/file

What version of the product are you using? On what operating system?

3.1.18

Please provide any additional information below.

As far as I can see, in

    function smarty_function_html_image($params, $template)

PHP's realpath() gets used, but this fails if the parameter to html_image is 
considered to be an uri (and not a file), therefore the test with 
isTrustedResourceDir() fails.

I think my patch attached should solve it.

Original issue reported on code.google.com by manuel.s...@manitu.de on 22 Apr 2014 at 11:34

Attachments:

• patch

[GoogleCodeExporter]

The bugfix is now in the SVN trunk and will later be included in 3.1.19

Original comment by Uwe.Tews@googlemail.com on 8 Jun 2014 at 7:08

• Changed state: Fixed