Smarty Security Policy

From WHMCS Documentation

Revision as of 18:44, 22 July 2016 by Cole (talk | contribs) (Created page with "WHMCS 7.0 introduces a new security hardening measure called Smarty Security Policies. WHMCS utilizes a system policy for system wide use, and a mail policy specifically for s...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

WHMCS 7.0 introduces a new security hardening measure called Smarty Security Policies. WHMCS utilizes a system policy for system wide use, and a mail policy specifically for stored and dynamic email based templates.

The settings enforced by a WHMCS Smarty Security Policy are the same as those defined by the Smarty library itself. You can learn more about about these settings from the Smarty documentation: http://www.smarty.net/docs/en/advanced.features.tpl

By default, WHMCS does not define any PHP functionality restrictions for the system policy (except to honor the pre-existing {php} tag setting as configured in Setup >> Security). All templates that use this policy are file based (for example, themes and order forms) which require file level access and therefore are automatically implicitly trusted. Because custom themes are much more likely to have additional PHP oriented logic, any restrictions defined by WHMCS could result in website rendering issues. It is completely within your discretion to determine if implicit trust at the file level is invalid and you may make any appropriate restrictions for this system policy.

The mail policy restricts what PHP functionality can be used in email based templates. The default mail policy will limit the use of variable modifiers (http://www.smarty.net/docs/en/language.modifiers.tpl) to the following:

  • escape
  • count
  • urlencode
  • ucfirst
  • date_format

The default mail policy restricts the use of native PHP functions to the following:

  • isset
  • empty
  • count
  • sizeof
  • in_array
  • is_array
  • time
  • nl2br

The default mail policy will not allow for the inclusion of any calls to static classes, fetching any data from php streams, or accessing any super global variables.

If you want to redefine either the system or mail policy, you can do this by adding a $smarty_security_policy setting to your configuration.php. Here's an example that limits email templates (by modifying the mail policy) to 'ucwords' as the only native PHP function allowed, while not changing the default restrictions on variable modifiers:

// Smarty custom email based template policy:
$smarty_security_policy => array(
    'mail' => array(
        'php_functions' => array(
            'ucwords',
        ),
    ),
);

Please refer to the Smarty documentation for all possible settings and what behavior to expect when assigning array and boolean values.