[pLog-general] how to protect your site?

Oscar Renalias phunkphorce at gmail.com
Thu Feb 24 14:30:03 GMT 2005 

I think our goal should be to ship a secure product. So far I've only
seen a handful of questions in the forums regarding how to include php
code in the templates so something like this will probably only affect
1% of users.

And in any case, we should push plugins from now on as the preferred
way to extend plog at all levels...

Oscar


On Thu, 24 Feb 2005 09:26:32 -0500 (EST), Jon Daley
<plogworld at daley.snurgle.org> wrote:
>         That seems reasonable, as long as the configuration option says,
> "Danger, Will Robinson, Danger.  Are you sure you know what you are
> doing??"
> 
> (:
> 
> 
> On Thu, 24 Feb 2005, Oscar Renalias wrote:
> 
> > It definitely should be enabled by default, but perhaps we could add a
> > configuration option to easily enable/disable this feature?
> >
> > Oscar
> >
> >
> > On Thu, 24 Feb 2005 09:17:13 -0500 (EST), Jon Daley
> > <plogworld at daley.snurgle.org> wrote:
> >> {php} is enabled by default, because security is disabled.
> >> When I enabled it on my machine, I got a strange error on "new post",
> >> where the javascript preview function popped up an error box.
> >> Unfortunately, I didn't write down the error message at the time, had some
> >> stuff about NS_ error.
> >>
> >> And now I can't get it to happen again.
> >>
> >> I erased my cache and tried again, with no luck in making it fail.
> >>
> >> Perhaps we can just set this to true?  There are some other related
> >> settings regarding trusted and untrusted directories.
> >>
> >> Enabling it does disable the {php} tags.
> >>
> >> See Smarty.class.php:
> >>      /**
> >>       * This enables template security. When enabled, many
> >>       * things are restricted in the templates that
> >>       * normally would go unchecked. This is useful when
> >>       * untrusted parties are editing templates and you
> >>       * want a reasonable level of security.
> >>       * (no direct execution of PHP in templates for example)
> >>       */
> >>      var $security       =   false;
> >>
> >>
> >> On Thu, 24 Feb 2005, Oscar Renalias wrote:
> >>> 5) unless explicitely enabled, smarty should not allow users to
> >>> execute php code via {php}...{/php} tags
> >>
> >> **************************************************************
> >> *     Jonathan M. Daley     *   Everybody is ignorant, only  *
> >> *   jondaley at snurgle.org    *     on different subjects.     *
> >> * www.snurgle.org/~jondaley *                 -- Will Rogers *
> >> **************************************************************
> >> _______________________________________________
> >> pLog-general mailing list
> >> pLog-general at devel.plogworld.net
> >> http://devel.plogworld.net/mailman/listinfo/plog-general
> >>
> > _______________________________________________
> > pLog-general mailing list
> > pLog-general at devel.plogworld.net
> > http://devel.plogworld.net/mailman/listinfo/plog-general
> >
> 
> **************************************************************
> *     Jonathan M. Daley     *  Needs are a function of what  *
> *   jondaley at snurgle.org    *       other people have.       *
> * www.snurgle.org/~jondaley *            -- Jone's Principle *
> **************************************************************
> _______________________________________________
> pLog-general mailing list
> pLog-general at devel.plogworld.net
> http://devel.plogworld.net/mailman/listinfo/plog-general
>

More information about the pLog-general mailing list