[pLog-general] how to protect your site?

Oscar Renalias phunkphorce at gmail.com
Thu Feb 24 15:18:43 GMT 2005 

I was looking at enabling Smarty::security
(http://smarty.php.net/manual/en/variable.security.php) but I found
that when enabled:

"
templates can only be included from directories listed in the $secure_dir array.

local files can only be fetched from directories listed in the
$secure_dir array using {fetch}.
"

During my preliminary tests, this seemed not to have any effect but it
might in the future... We can also have a look at
Smarty::security_settings that allows to override certain security
settings (http://smarty.php.net/manual/en/variable.security.settings.php)
if needed.

I've just committed the changes related to this to svn, plus a new
option under "template settings" that allows to easily enable and
disable this feature.

Oscar

On Thu, 24 Feb 2005 09:32:14 -0500 (EST), Jon Daley
<plogworld at daley.snurgle.org> wrote:
>         Agreed.  So, how about with enable it and don't have a
> configuration option to turn it off?  And then they have to modify the
> smarty code if they are sure that they know what they are doing?
> 
> 
> On Thu, 24 Feb 2005, Oscar Renalias wrote:
> 
> > I think our goal should be to ship a secure product. So far I've only
> > seen a handful of questions in the forums regarding how to include php
> > code in the templates so something like this will probably only affect
> > 1% of users.
> >
> > And in any case, we should push plugins from now on as the preferred
> > way to extend plog at all levels...
> >
> > Oscar
> >
> >
> > On Thu, 24 Feb 2005 09:26:32 -0500 (EST), Jon Daley
> > <plogworld at daley.snurgle.org> wrote:
> >>         That seems reasonable, as long as the configuration option says,
> >> "Danger, Will Robinson, Danger.  Are you sure you know what you are
> >> doing??"
> >>
> >> (:
> >>
> >>
> >> On Thu, 24 Feb 2005, Oscar Renalias wrote:
> >>
> >>> It definitely should be enabled by default, but perhaps we could add a
> >>> configuration option to easily enable/disable this feature?
> >>>
> >>> Oscar
> >>>
> >>>
> >>> On Thu, 24 Feb 2005 09:17:13 -0500 (EST), Jon Daley
> >>> <plogworld at daley.snurgle.org> wrote:
> >>>> {php} is enabled by default, because security is disabled.
> >>>> When I enabled it on my machine, I got a strange error on "new post",
> >>>> where the javascript preview function popped up an error box.
> >>>> Unfortunately, I didn't write down the error message at the time, had some
> >>>> stuff about NS_ error.
> >>>>
> >>>> And now I can't get it to happen again.
> >>>>
> >>>> I erased my cache and tried again, with no luck in making it fail.
> >>>>
> >>>> Perhaps we can just set this to true?  There are some other related
> >>>> settings regarding trusted and untrusted directories.
> >>>>
> >>>> Enabling it does disable the {php} tags.
> >>>>
> >>>> See Smarty.class.php:
> >>>>      /**
> >>>>       * This enables template security. When enabled, many
> >>>>       * things are restricted in the templates that
> >>>>       * normally would go unchecked. This is useful when
> >>>>       * untrusted parties are editing templates and you
> >>>>       * want a reasonable level of security.
> >>>>       * (no direct execution of PHP in templates for example)
> >>>>       */
> >>>>      var $security       =   false;
> >>>>
> >>>>
> >>>> On Thu, 24 Feb 2005, Oscar Renalias wrote:
> >>>>> 5) unless explicitely enabled, smarty should not allow users to
> >>>>> execute php code via {php}...{/php} tags
> >>>>
> >>>> **************************************************************
> >>>> *     Jonathan M. Daley     *   Everybody is ignorant, only  *
> >>>> *   jondaley at snurgle.org    *     on different subjects.     *
> >>>> * www.snurgle.org/~jondaley *                 -- Will Rogers *
> >>>> **************************************************************
> >>>> _______________________________________________
> >>>> pLog-general mailing list
> >>>> pLog-general at devel.plogworld.net
> >>>> http://devel.plogworld.net/mailman/listinfo/plog-general
> >>>>
> >>> _______________________________________________
> >>> pLog-general mailing list
> >>> pLog-general at devel.plogworld.net
> >>> http://devel.plogworld.net/mailman/listinfo/plog-general
> >>>
> >>
> >> **************************************************************
> >> *     Jonathan M. Daley     *  Needs are a function of what  *
> >> *   jondaley at snurgle.org    *       other people have.       *
> >> * www.snurgle.org/~jondaley *            -- Jone's Principle *
> >> **************************************************************
> >> _______________________________________________
> >> pLog-general mailing list
> >> pLog-general at devel.plogworld.net
> >> http://devel.plogworld.net/mailman/listinfo/plog-general
> >>
> > _______________________________________________
> > pLog-general mailing list
> > pLog-general at devel.plogworld.net
> > http://devel.plogworld.net/mailman/listinfo/plog-general
> >
> 
> **************************************************************
> *     Jonathan M. Daley     *       Who begins too much      *
> *   jondaley at snurgle.org    *      accomplishes little.      *
> * www.snurgle.org/~jondaley *              -- German proverb *
> **************************************************************
> _______________________________________________
> pLog-general mailing list
> pLog-general at devel.plogworld.net
> http://devel.plogworld.net/mailman/listinfo/plog-general
>

More information about the pLog-general mailing list