[pLog-svn] r1203 - in plog/trunk: . class/template locale templates/admin templates/summary

Jon Daley plogworld at daley.snurgle.org
Fri Feb 25 13:33:13 GMT 2005


 	This was on my "production" server (where of course I am running 
the latest builds...) so I didn't try it out with anything other than my 
default settings.

 	"jondaley" is my main template inside the templates folder.  I 
don't access any files outside of that template, though I have a couple 
plugins, but I think plugins don't count in this security stuff?  I have 
turned off most of the plugins because they depend on non-cached 
templates.
 	Are you saying that this setting works fine for you?

 	I had a thought in the shower this morning (where I solve most 
bugs) that by adding this to template.class and not cachedtemplate.class, 
does that mean {php} tags would work in the cached templates, but not in 
the regular templates.  Of course, this shouldn't ever happen in real 
life, but since I added the security setting when there was stuff already 
cached, presumably my blog continued to work until the cache was erased 
(when I posted a comment).

 	About including files from other directories, a bunch of the 
templates use pictures from the /imgs/ directory, and presumably some 
people include resources from the album in their posts?



On Fri, 25 Feb 2005, Oscar Renalias wrote:
> where were all your template files? Was it jondaley/ for all of them?
>
> There might be some issues with your are using for example
> templates/my_template and try to include something from
> templates/my_other_template... This could also help to prevent things
> like
>
> {include file="/etc/passwd"}
>
> which should work in 0.3.x releases...(and which is quite dangerous too!)
>
> Oscar
>
> On Thu, 24 Feb 2005 15:52:28 -0500 (EST), Jon Daley
> <plogworld at daley.snurgle.org> wrote:
>>         Oops.  This broke my installation.  I just got the latest, and I
>> went to one page (perhaps cached) posted a comment.  Then I got:
>>
>> Exception message: Smarty error: (secure mode) accessing
>> "jondaley/postandcomments.template" is not allowed
>> Error code: 512
>>
>> The comment was posted, so the data was not lost.
>>
>>
>> On Thu, 24 Feb 2005 oscar at devel.plogworld.net wrote:
>>
>>> Author: oscar
>>> Date: 2005-02-24 15:21:56 +0000 (Thu, 24 Feb 2005)
>>> New Revision: 1203
>>>
>>> Modified:
>>>   plog/trunk/class/template/template.class.php
>>>   plog/trunk/locale/locale_en_UK.php
>>>   plog/trunk/templates/admin/globalsettings_templates.template
>>>   plog/trunk/templates/summary/pager.template
>>>   plog/trunk/wizard.php
>>> Log:
>>> now php code is not allowed by default in smarty templates. In order to
>>> reenable this feature, set administration->global settings->template settings->allow_php_code_in_templates
>>> to true.
>>> A new locale string was needed (help_allow_php_code_in_templates) and the
>>> wizard has also been modified in order to add this new setting to the plog_config table.
>>>
>>>
>>> Modified: plog/trunk/class/template/template.class.php
>>> ===================================================================
>>> --- plog/trunk/class/template/template.class.php      2005-02-24 08:17:09 UTC (rev 1202)
>>> +++ plog/trunk/class/template/template.class.php      2005-02-24 15:21:56 UTC (rev 1203)
>>> @@ -51,6 +51,14 @@
>>>
>>>             // enable the security settings
>>>             $this->php_handling = false;
>>> +            // code is not allowed in the templates by default, unless specified otherwise
>>> +            /*if( $config->getValue( 'allow_php_code_in_templates', false ))
>>> +             $this->security = true;
>>> +            else
>>> +             $this->security = false;*/
>>> +
>>> +            $this->security = (boolean)!$config->getValue( 'allow_php_code_in_templates', false );
>>> +            //$this->security = true;
>>>
>>>             // default folders
>>>             $this->compile_dir  = $config->getValue( 'temp_folder' );
>>>
>>> Modified: plog/trunk/locale/locale_en_UK.php
>>> ===================================================================
>>> --- plog/trunk/locale/locale_en_UK.php        2005-02-24 08:17:09 UTC (rev 1202)
>>> +++ plog/trunk/locale/locale_en_UK.php        2005-02-24 15:21:56 UTC (rev 1203)
>>> @@ -724,6 +724,7 @@
>>> $messages['help_template_cache_enabled'] = 'Enable the template cache. If enabled, the cached version of a page will be used whenever possible. No data will need to be fetched from the database and templates will not need to be recompiled';
>>> $messages['help_template_cache_lifetime'] = 'Lifetime in seconds of the cache. Set to -1 to force the cache to never expire. If set to 0, the cache will be disabled but it is recommended to set template_cache_enabled to "No" in order to disable the cache';
>>> $messages['help_template_http_cache_enabled'] = 'Enable support for HTTP conditional requests. If enabled, pLog will take the "If-Modified-Since" HTTP header into account and send only content if strictly needed. Enable this to save bandwidth';
>>> +$messages['help_allow_php_code_in_templates'] = 'Allows to embed native PHP code in Smarty templates inside {php}...{/php} blocks';
>>> // urls
>>> $messages['help_request_format_mode'] = 'Select one of the available URL format. If using custom URLs, make sure to configure the settings below';
>>> $messages['plain'] = 'Plain';
>>>
>>> Modified: plog/trunk/templates/admin/globalsettings_templates.template
>>> ===================================================================
>>> --- plog/trunk/templates/admin/globalsettings_templates.template      2005-02-24 08:17:09 UTC (rev 1202)
>>> +++ plog/trunk/templates/admin/globalsettings_templates.template      2005-02-24 15:21:56 UTC (rev 1203)
>>> @@ -25,6 +25,13 @@
>>>     <input class="radio" type="radio" id="config[users_can_add_templates]" name="config[users_can_add_templates]" value="1" {if $users_can_add_templates == 1 } checked="checked" {/if} />{$locale->tr("yes")}
>>>     <input class="radio" type="radio" id="config[users_can_add_templates]" name="config[users_can_add_templates]" value="0" {if $users_can_add_templates == 0 } checked="checked" {/if} />{$locale->tr("no")}
>>>    </div>
>>> +   <!-- allow_php_code_in_templates -->
>>> +   <div class="field">
>>> +    <label for="config[allow_php_code_in_templates]">allow_php_code_in_templates</label>
>>> +    <div class="formHelp">{$locale->tr("help_allow_php_code_in_templates")}</div>
>>> +    <input class="radio" type="radio" id="config[allow_php_code_in_templates]" name="config[allow_php_code_in_templates]" value="1" {if $allow_php_code_in_templates == 1 } checked="checked" {/if} />{$locale->tr("yes")}
>>> +    <input class="radio" type="radio" id="config[allow_php_code_in_templates]" name="config[allow_php_code_in_templates]" value="0" {if $allow_php_code_in_templates == 0 } checked="checked" {/if} />{$locale->tr("no")}
>>> +   </div>
>>>    <!-- template_compile_check -->
>>>    <div class="field">
>>>     <label for="config[template_compile_check]">template_compile_check</label>
>>>
>>> Modified: plog/trunk/templates/summary/pager.template
>>> ===================================================================
>>> --- plog/trunk/templates/summary/pager.template       2005-02-24 08:17:09 UTC (rev 1202)
>>> +++ plog/trunk/templates/summary/pager.template       2005-02-24 15:21:56 UTC (rev 1203)
>>> @@ -1,4 +1,4 @@
>>> -{if $style=="list" || style==""}
>>> +{if $style=="list" || $style==""}
>>>       <script type="text/javascript">
>>>               {literal}
>>>               function onPagerListChange(list)
>>>
>>> Modified: plog/trunk/wizard.php
>>> ===================================================================
>>> --- plog/trunk/wizard.php     2005-02-24 08:17:09 UTC (rev 1202)
>>> +++ plog/trunk/wizard.php     2005-02-24 15:21:56 UTC (rev 1203)
>>> @@ -626,6 +626,7 @@
>>> $Inserts[107] = "INSERT INTO {dbprefix}config (config_key, config_value, value_type) VALUES('template_http_cache_enabled', '0', 1);";
>>> $Inserts[108] = "INSERT INTO {dbprefix}config (config_key, config_value, value_type) VALUES('template_compile_check', '1', 1);";
>>> $Inserts[109] = "INSERT INTO {dbprefix}config (config_key, config_value, value_type) VALUES('update_cached_article_reads', '1', 1);";
>>> +$Inserts[110] = "INSERT INTO {dbprefix}config (config_key, config_value, value_type) VALUES('allow_php_code_in_templates', '0', 1);";
>>>
>>>
>>>       /**
>>> @@ -1397,7 +1398,7 @@
>>>             // ---
>>>             // add the new configuration settings that were added for 1.0
>>>             // ---
>>> -            $newSettings = range( 71, 109 );
>>> +            $newSettings = range( 71, 110 );
>>>             foreach( $newSettings as $settingId ) {
>>>                 $setting = $Inserts[$settingId];
>>>                 $query = str_replace( "{dbprefix}", $this->_dbPrefix, $setting );
>>>
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.plogworld.net
>>> http://devel.plogworld.net/mailman/listinfo/plog-svn
>>>
>>
>> **************************************************************
>> *     Jonathan M. Daley     *     Time is nature's way of    *
>> *                           *     keeping everything from    *
>> *   jondaley at snurgle.org    *       happening at once.       *
>> *                           *                 -- Woody Allen *
>> * www.snurgle.org/~jondaley *                                *
>> **************************************************************
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.plogworld.net
>> http://devel.plogworld.net/mailman/listinfo/plog-svn
>>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.plogworld.net
> http://devel.plogworld.net/mailman/listinfo/plog-svn
>

**************************************************************
*     Jonathan M. Daley     *      Everywhere is walking     *
*                           *    distance if you have the    *
*   jondaley at snurgle.org    *              time.             *
*                           *              -- Stephen Wright *
* www.snurgle.org/~jondaley *                                *
**************************************************************



More information about the pLog-svn mailing list