[pLog-general] how to protect your site?
Oscar Renalias
phunkphorce at gmail.com
Thu Feb 24 15:18:43 GMT 2005
I was looking at enabling Smarty::security
(http://smarty.php.net/manual/en/variable.security.php) but I found
that when enabled:
"
templates can only be included from directories listed in the $secure_dir array.
local files can only be fetched from directories listed in the
$secure_dir array using {fetch}.
"
During my preliminary tests, this seemed not to have any effect but it
might in the future... We can also have a look at
Smarty::security_settings that allows to override certain security
settings (http://smarty.php.net/manual/en/variable.security.settings.php)
if needed.
I've just committed the changes related to this to svn, plus a new
option under "template settings" that allows to easily enable and
disable this feature.
Oscar
On Thu, 24 Feb 2005 09:32:14 -0500 (EST), Jon Daley
<plogworld at daley.snurgle.org> wrote:
> Agreed. So, how about with enable it and don't have a
> configuration option to turn it off? And then they have to modify the
> smarty code if they are sure that they know what they are doing?
>
>
> On Thu, 24 Feb 2005, Oscar Renalias wrote:
>
> > I think our goal should be to ship a secure product. So far I've only
> > seen a handful of questions in the forums regarding how to include php
> > code in the templates so something like this will probably only affect
> > 1% of users.
> >
> > And in any case, we should push plugins from now on as the preferred
> > way to extend plog at all levels...
> >
> > Oscar
> >
> >
> > On Thu, 24 Feb 2005 09:26:32 -0500 (EST), Jon Daley
> > <plogworld at daley.snurgle.org> wrote:
> >> That seems reasonable, as long as the configuration option says,
> >> "Danger, Will Robinson, Danger. Are you sure you know what you are
> >> doing??"
> >>
> >> (:
> >>
> >>
> >> On Thu, 24 Feb 2005, Oscar Renalias wrote:
> >>
> >>> It definitely should be enabled by default, but perhaps we could add a
> >>> configuration option to easily enable/disable this feature?
> >>>
> >>> Oscar
> >>>
> >>>
> >>> On Thu, 24 Feb 2005 09:17:13 -0500 (EST), Jon Daley
> >>> <plogworld at daley.snurgle.org> wrote:
> >>>> {php} is enabled by default, because security is disabled.
> >>>> When I enabled it on my machine, I got a strange error on "new post",
> >>>> where the javascript preview function popped up an error box.
> >>>> Unfortunately, I didn't write down the error message at the time, had some
> >>>> stuff about NS_ error.
> >>>>
> >>>> And now I can't get it to happen again.
> >>>>
> >>>> I erased my cache and tried again, with no luck in making it fail.
> >>>>
> >>>> Perhaps we can just set this to true? There are some other related
> >>>> settings regarding trusted and untrusted directories.
> >>>>
> >>>> Enabling it does disable the {php} tags.
> >>>>
> >>>> See Smarty.class.php:
> >>>> /**
> >>>> * This enables template security. When enabled, many
> >>>> * things are restricted in the templates that
> >>>> * normally would go unchecked. This is useful when
> >>>> * untrusted parties are editing templates and you
> >>>> * want a reasonable level of security.
> >>>> * (no direct execution of PHP in templates for example)
> >>>> */
> >>>> var $security = false;
> >>>>
> >>>>
> >>>> On Thu, 24 Feb 2005, Oscar Renalias wrote:
> >>>>> 5) unless explicitely enabled, smarty should not allow users to
> >>>>> execute php code via {php}...{/php} tags
> >>>>
> >>>> **************************************************************
> >>>> * Jonathan M. Daley * Everybody is ignorant, only *
> >>>> * jondaley at snurgle.org * on different subjects. *
> >>>> * www.snurgle.org/~jondaley * -- Will Rogers *
> >>>> **************************************************************
> >>>> _______________________________________________
> >>>> pLog-general mailing list
> >>>> pLog-general at devel.plogworld.net
> >>>> http://devel.plogworld.net/mailman/listinfo/plog-general
> >>>>
> >>> _______________________________________________
> >>> pLog-general mailing list
> >>> pLog-general at devel.plogworld.net
> >>> http://devel.plogworld.net/mailman/listinfo/plog-general
> >>>
> >>
> >> **************************************************************
> >> * Jonathan M. Daley * Needs are a function of what *
> >> * jondaley at snurgle.org * other people have. *
> >> * www.snurgle.org/~jondaley * -- Jone's Principle *
> >> **************************************************************
> >> _______________________________________________
> >> pLog-general mailing list
> >> pLog-general at devel.plogworld.net
> >> http://devel.plogworld.net/mailman/listinfo/plog-general
> >>
> > _______________________________________________
> > pLog-general mailing list
> > pLog-general at devel.plogworld.net
> > http://devel.plogworld.net/mailman/listinfo/plog-general
> >
>
> **************************************************************
> * Jonathan M. Daley * Who begins too much *
> * jondaley at snurgle.org * accomplishes little. *
> * www.snurgle.org/~jondaley * -- German proverb *
> **************************************************************
> _______________________________________________
> pLog-general mailing list
> pLog-general at devel.plogworld.net
> http://devel.plogworld.net/mailman/listinfo/plog-general
>
More information about the pLog-general
mailing list