[pLog-general] how to protect your site?

linuxman subaochen at 126.com
Thu Feb 24 23:14:55 GMT 2005 

Oscar explained very clearly, thanks a lots!

About allow user to execute php code in template file, the answer is
definately NO, especially uploaded template file. So I think whatever
Smarty allows or not, we should check uploaded template file, maybe:

if(preg("/{php}/i"), get_file_contents($each_upload_template_file) ) 
    return ERROR...

I noticed you commit an option to admin interface, but allow use to
execute php code is really a very bad idea, so why allow this by an
option?



在 2005-02-24四的 14:23 +0200,Oscar Renalias写道:
> Hi,
> 
> this is the process:
> 
> 1) the file is uploaded and moved to the temporary folder
> 2) there it is unpacked to a random folder in the temporary folder. We
> use a random folder name so that the location cannot be predicted by
> an attacker.
> 3) the All the files and folders in the temporary folder will be
> scanned, looking for forbidden files. A forbidden file is a file whose
> name matches one of the file patterns in
> administration->uploads->upload_forbidden_files
> 4.1) if there is a forbidden file, the whole folder will be removed
> 4.2) if everything is ok, the random folder will be removed and the
> template set will be unpacked _again_ to the final destination under
> templates/whatever or templates/X/whatever
> 5) unless explicitely enabled, smarty should not allow users to
> execute php code via {php}...{/php} tags
> 
> Since we used a temporary folder name, an attacker cannot execute any
> file during the process described above.
> 
> Everything is handled by the TemplateSandbox class
> (class/template/templatesandbox.class.php) The code might look a bit
> messy but it works :))) Other classes that help during the process are
> UploadValidator (makes sure that an uploaded file is not a forbidden
> itself) and TemplateValidator that makes sure that a template is
> really valid, meaning that it contains all the right files and so on.
> 
> Hope this made things clear :-)
> 
> Oscar
> 
> On Thu, 24 Feb 2005 14:28:01 +0800, linuxman <subaochen at 126.com> wrote:
> > hi oscar,
> > 
> > When allow user to upload their own templates, how to protected the site
> > to avoid attack? for example, use can insert php codes to the uploaded
> > template.
> > 
> > Best regards,
> > 
> > Su Baochen
> > 
> > _______________________________________________
> > pLog-general mailing list
> > pLog-general at devel.plogworld.net
> > http://devel.plogworld.net/mailman/listinfo/plog-general
> >
> _______________________________________________
> pLog-general mailing list
> pLog-general at devel.plogworld.net
> http://devel.plogworld.net/mailman/listinfo/plog-general
>

More information about the pLog-general mailing list