[pLog-general] how to protect your site?
Jon Daley
plogworld at daley.snurgle.org
Thu Feb 24 14:32:14 GMT 2005
Agreed. So, how about with enable it and don't have a
configuration option to turn it off? And then they have to modify the
smarty code if they are sure that they know what they are doing?
On Thu, 24 Feb 2005, Oscar Renalias wrote:
> I think our goal should be to ship a secure product. So far I've only
> seen a handful of questions in the forums regarding how to include php
> code in the templates so something like this will probably only affect
> 1% of users.
>
> And in any case, we should push plugins from now on as the preferred
> way to extend plog at all levels...
>
> Oscar
>
>
> On Thu, 24 Feb 2005 09:26:32 -0500 (EST), Jon Daley
> <plogworld at daley.snurgle.org> wrote:
>> That seems reasonable, as long as the configuration option says,
>> "Danger, Will Robinson, Danger. Are you sure you know what you are
>> doing??"
>>
>> (:
>>
>>
>> On Thu, 24 Feb 2005, Oscar Renalias wrote:
>>
>>> It definitely should be enabled by default, but perhaps we could add a
>>> configuration option to easily enable/disable this feature?
>>>
>>> Oscar
>>>
>>>
>>> On Thu, 24 Feb 2005 09:17:13 -0500 (EST), Jon Daley
>>> <plogworld at daley.snurgle.org> wrote:
>>>> {php} is enabled by default, because security is disabled.
>>>> When I enabled it on my machine, I got a strange error on "new post",
>>>> where the javascript preview function popped up an error box.
>>>> Unfortunately, I didn't write down the error message at the time, had some
>>>> stuff about NS_ error.
>>>>
>>>> And now I can't get it to happen again.
>>>>
>>>> I erased my cache and tried again, with no luck in making it fail.
>>>>
>>>> Perhaps we can just set this to true? There are some other related
>>>> settings regarding trusted and untrusted directories.
>>>>
>>>> Enabling it does disable the {php} tags.
>>>>
>>>> See Smarty.class.php:
>>>> /**
>>>> * This enables template security. When enabled, many
>>>> * things are restricted in the templates that
>>>> * normally would go unchecked. This is useful when
>>>> * untrusted parties are editing templates and you
>>>> * want a reasonable level of security.
>>>> * (no direct execution of PHP in templates for example)
>>>> */
>>>> var $security = false;
>>>>
>>>>
>>>> On Thu, 24 Feb 2005, Oscar Renalias wrote:
>>>>> 5) unless explicitely enabled, smarty should not allow users to
>>>>> execute php code via {php}...{/php} tags
>>>>
>>>> **************************************************************
>>>> * Jonathan M. Daley * Everybody is ignorant, only *
>>>> * jondaley at snurgle.org * on different subjects. *
>>>> * www.snurgle.org/~jondaley * -- Will Rogers *
>>>> **************************************************************
>>>> _______________________________________________
>>>> pLog-general mailing list
>>>> pLog-general at devel.plogworld.net
>>>> http://devel.plogworld.net/mailman/listinfo/plog-general
>>>>
>>> _______________________________________________
>>> pLog-general mailing list
>>> pLog-general at devel.plogworld.net
>>> http://devel.plogworld.net/mailman/listinfo/plog-general
>>>
>>
>> **************************************************************
>> * Jonathan M. Daley * Needs are a function of what *
>> * jondaley at snurgle.org * other people have. *
>> * www.snurgle.org/~jondaley * -- Jone's Principle *
>> **************************************************************
>> _______________________________________________
>> pLog-general mailing list
>> pLog-general at devel.plogworld.net
>> http://devel.plogworld.net/mailman/listinfo/plog-general
>>
> _______________________________________________
> pLog-general mailing list
> pLog-general at devel.plogworld.net
> http://devel.plogworld.net/mailman/listinfo/plog-general
>
**************************************************************
* Jonathan M. Daley * Who begins too much *
* jondaley at snurgle.org * accomplishes little. *
* www.snurgle.org/~jondaley * -- German proverb *
**************************************************************
More information about the pLog-general
mailing list