blog.brockha.us wrote:1. I loaded the oembed.tpl from the plugins dir, if not found in the template dir. This caused an Smarty error.
...would have been good to know here what this error said in detail. Can you reproduce it?
blog.brockha.us wrote:2. I tried to do some string searches in the tpl. I used "stripos". This seems to be a PHP and not a smarty function, so it caused another security error. In the actual tpl I managed to do w/o this comparing.
That is usual, as not allowed by S9y, in all bundled Smarty libs. No change to prev versions.
blog.brockha.us wrote:The INCLUDE_ALL is needed for Smarty 2.x templated plugins, if you want to load a tpl from the plugins directory. So it has to be there in order to make it work in older versions (if you don't switch off the security completely as I did). I found many plugins setting this btw, so this should be supported by the Smarty 3 class, too. Maybe simply ignored, if not needed anymore, but it should not produce errors (it doesn't at the moment, if I'm right).
Yes, true, this 5-liner (see above) is needed in all smartified plugins with Smarty2 bundled. With Smarty3 there is no need for this, as we decided to allow the plugins dir in general. While the constant is silenced, we just needed to define the undefined old property security_settings, which is already set.
The problem of your code is, you are using the global security, not the allowed path property.
These smartified plugins set the globally allowed path property security_settings[@INCLUDE_ANY] from false to true and immediately back to false after the fetch call. So disabling $serendipity['smarty']->security = false; is something wrong here, as the original 5-liner should have allowed to fetch the tpl inside the plugins dir with S9y Smarty 2x versions and with 1.7 even without. So your error must have another reason, IMHO.
That is why I'd really like to know what kind of security load error happend there before, which could only be silenced by disableSecurity().