[pLog-general] how to protect your site?
Oscar Renalias
phunkphorce at gmail.com
Thu Feb 24 14:30:03 GMT 2005
I think our goal should be to ship a secure product. So far I've only
seen a handful of questions in the forums regarding how to include php
code in the templates so something like this will probably only affect
1% of users.
And in any case, we should push plugins from now on as the preferred
way to extend plog at all levels...
Oscar
On Thu, 24 Feb 2005 09:26:32 -0500 (EST), Jon Daley
<plogworld at daley.snurgle.org> wrote:
> That seems reasonable, as long as the configuration option says,
> "Danger, Will Robinson, Danger. Are you sure you know what you are
> doing??"
>
> (:
>
>
> On Thu, 24 Feb 2005, Oscar Renalias wrote:
>
> > It definitely should be enabled by default, but perhaps we could add a
> > configuration option to easily enable/disable this feature?
> >
> > Oscar
> >
> >
> > On Thu, 24 Feb 2005 09:17:13 -0500 (EST), Jon Daley
> > <plogworld at daley.snurgle.org> wrote:
> >> {php} is enabled by default, because security is disabled.
> >> When I enabled it on my machine, I got a strange error on "new post",
> >> where the javascript preview function popped up an error box.
> >> Unfortunately, I didn't write down the error message at the time, had some
> >> stuff about NS_ error.
> >>
> >> And now I can't get it to happen again.
> >>
> >> I erased my cache and tried again, with no luck in making it fail.
> >>
> >> Perhaps we can just set this to true? There are some other related
> >> settings regarding trusted and untrusted directories.
> >>
> >> Enabling it does disable the {php} tags.
> >>
> >> See Smarty.class.php:
> >> /**
> >> * This enables template security. When enabled, many
> >> * things are restricted in the templates that
> >> * normally would go unchecked. This is useful when
> >> * untrusted parties are editing templates and you
> >> * want a reasonable level of security.
> >> * (no direct execution of PHP in templates for example)
> >> */
> >> var $security = false;
> >>
> >>
> >> On Thu, 24 Feb 2005, Oscar Renalias wrote:
> >>> 5) unless explicitely enabled, smarty should not allow users to
> >>> execute php code via {php}...{/php} tags
> >>
> >> **************************************************************
> >> * Jonathan M. Daley * Everybody is ignorant, only *
> >> * jondaley at snurgle.org * on different subjects. *
> >> * www.snurgle.org/~jondaley * -- Will Rogers *
> >> **************************************************************
> >> _______________________________________________
> >> pLog-general mailing list
> >> pLog-general at devel.plogworld.net
> >> http://devel.plogworld.net/mailman/listinfo/plog-general
> >>
> > _______________________________________________
> > pLog-general mailing list
> > pLog-general at devel.plogworld.net
> > http://devel.plogworld.net/mailman/listinfo/plog-general
> >
>
> **************************************************************
> * Jonathan M. Daley * Needs are a function of what *
> * jondaley at snurgle.org * other people have. *
> * www.snurgle.org/~jondaley * -- Jone's Principle *
> **************************************************************
> _______________________________________________
> pLog-general mailing list
> pLog-general at devel.plogworld.net
> http://devel.plogworld.net/mailman/listinfo/plog-general
>
More information about the pLog-general
mailing list