[pLog-general] how to protect your site?
Oscar Renalias
phunkphorce at gmail.com
Thu Feb 24 14:22:17 GMT 2005
It definitely should be enabled by default, but perhaps we could add a
configuration option to easily enable/disable this feature?
Oscar
On Thu, 24 Feb 2005 09:17:13 -0500 (EST), Jon Daley
<plogworld at daley.snurgle.org> wrote:
> {php} is enabled by default, because security is disabled.
> When I enabled it on my machine, I got a strange error on "new post",
> where the javascript preview function popped up an error box.
> Unfortunately, I didn't write down the error message at the time, had some
> stuff about NS_ error.
>
> And now I can't get it to happen again.
>
> I erased my cache and tried again, with no luck in making it fail.
>
> Perhaps we can just set this to true? There are some other related
> settings regarding trusted and untrusted directories.
>
> Enabling it does disable the {php} tags.
>
> See Smarty.class.php:
> /**
> * This enables template security. When enabled, many
> * things are restricted in the templates that
> * normally would go unchecked. This is useful when
> * untrusted parties are editing templates and you
> * want a reasonable level of security.
> * (no direct execution of PHP in templates for example)
> */
> var $security = false;
>
>
> On Thu, 24 Feb 2005, Oscar Renalias wrote:
> > 5) unless explicitely enabled, smarty should not allow users to
> > execute php code via {php}...{/php} tags
>
> **************************************************************
> * Jonathan M. Daley * Everybody is ignorant, only *
> * jondaley at snurgle.org * on different subjects. *
> * www.snurgle.org/~jondaley * -- Will Rogers *
> **************************************************************
> _______________________________________________
> pLog-general mailing list
> pLog-general at devel.plogworld.net
> http://devel.plogworld.net/mailman/listinfo/plog-general
>
More information about the pLog-general
mailing list