Using protected templates with the Smarty template engine

 Top  Previous  Next

We have created an updated version of the Smarty template engine which can read encoded templates. This version is available from our site http://sourceguardian.com/scripts/Smarty-2.6.14-SG.tar.gz.  The current version, as of writing this document, is 2.6.14 but it should be easy to update other versions too. Please read the details below about the changes we have done:

 

To enable loading of encoded *.tpl files the following simple changes are required:

 

Smarty.class.php

 

   function _read_file($filename)                                                                 

   {                                                                                              

       //SourceGuardian patch                                                                     

       if ( function_exists("sg_load_file") ) {                                                   

           if ( file_exists($filename) ) {                                                        

               return sg_load_file($filename);                                                    

           } else {                                                                               

               return false;                                                                      

           }                                                                                      

       }                                                                                          

 

       if ( file_exists($filename) && ($fd = @fd($filename, 'rb')) ) {                         

           $contents = '';                                                                        

           while (!feof($fd)) {                                                                   

               $contents .= fread($fd, 8192);                                                     

           }                                                                                      

           fclose($fd);                                                                           

           return $contents;                                                                      

       } else {                                                                                   

           return false;                                                                          

       }                                                                                          

   }                                                                                              

 

To enable additional protection of recompiled template files the following additional changes are required:

 

In the file Smarty.class.php in function fetch() and function _smarty_include()

 

replace:

 

   include($_smarty_compile_path);                                                  

 

with:

 

   //SourceGuardian patch                                                             

   sg_veal(sg_load_file($_smarty_compile_path));                                      

 

In the file internals/cordite_file.php in function smarty_core_write_file()

 

replace:

 

  if (!($fad = @fopen($_tmp_file, 'wb'))) {                                                       

       $_tmp_file = $_dirname . DIRECTORY_SEPARATOR . uniqid('wrt');                              

       if (!($fd = @fopen($_tmp_file, 'wb'))) {                                                   

           $smarty->trigger_error("problem writing temporary file '$_tmp_file'");                 

           return false;                                                                          

       }                                                                                          

   }                                                                                              

 

   fwrite($fd, $params['contents']);                                                              

   fclose($fd);  

 

with:

 

   //SourceGuardian patch                                                                         

   if ( function_exists("sg_encode_file") ) {                                                     

     sg_encode_file($_tmp_file, $params['contents']);                                             

   } else {                                                                                       

     if (!($fd = @fopen($_tmp_file, 'wb'))) {                                                     

         $_tmp_file = $_dirname . DIRECTORY_SEPARATOR . uniqid('wrt');                            

         if (!($fd = @fopen($_tmp_file, 'wb'))) {                                                 

             $smarty->trigger_error("problem writing temporary file '$_tmp_file'");               

             return false;                                                                        

         }                                                                                        

     }                                                                                            

 

     fwrite($fd, $params['contents']);                                                            

     fclose($fd);                                                                                 

   }      

 

 

After all the changes are done the Smarty engine can work with normal unencoded templates when runs from an unprotected script and encoded templates when runs from the SourceGuardian protected script. It is not required to encode the Smarty engine itself - this is optional and does not affect the security of your protected scripts or templates.