Smarty Forum Index Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon.

secure mode and load_config

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Bugs
View previous topic :: View next topic  
Author Message
shuther
Smarty Rookie


Joined: 04 Jan 2004
Posts: 13

PostPosted: Mon Mar 15, 2004 11:03 am    Post subject: secure mode and load_config Reply with quote

I am using the last CVS version.
I have $smarty->config_dir that is not in $smarty->trusted_dir
with security = true, I got the errors:
Quote:
(secure mode) accessing "file C:\devl\projet\include/configs/\main.conf"


I am not sure that is the desired behaviour?

I added the directory in $smarty->trusted_dir, it still doesn't work; maybe I am missing something?
Back to top
View user's profile Send private message
shuther
Smarty Rookie


Joined: 04 Jan 2004
Posts: 13

PostPosted: Mon Mar 15, 2004 11:09 am    Post subject: Reply with quote

I found the problem, I fogot to add:
$smarty->secure_dir = array($smarty->config_dir);

But maybe it could be automatic?
Back to top
View user's profile Send private message
messju
Administrator


Joined: 16 Apr 2003
Posts: 3336
Location: Oldenburg, Germany

PostPosted: Mon Mar 15, 2004 4:00 pm    Post subject: Reply with quote

ah, that's nasty indeed.

it would be easiest to fix this the way you suggest (making "config" a secure dir automatically):

Code:
Index: libs/core/core.is_secure.php
===================================================================
RCS file: /repository/smarty/libs/core/core.is_secure.php,v
retrieving revision 1.7
diff -u -r1.7 core.is_secure.php
--- libs/core/core.is_secure.php        24 Feb 2004 00:10:55 -0000      1.7
+++ libs/core/core.is_secure.php        15 Mar 2004 15:53:38 -0000
@@ -28,7 +28,9 @@
         if($check_template_dir) {
             if (!in_array($smarty->template_dir, $smarty->secure_dir))
                 // add template_dir to secure_dir array
-                array_unshift($smarty->secure_dir, $smarty->template_dir);
+                array_unshift($smarty->secure_dir,
+                              $smarty->template_dir, $smarty->config_dir);
             $check_template_dir = false;
         }
         if (!empty($smarty->secure_dir)) {



but this would make the config-dir a trusted directory also for (secured) {fetch), {include} etc. I don't know if this is a problem.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
messju
Administrator


Joined: 16 Apr 2003
Posts: 3336
Location: Oldenburg, Germany

PostPosted: Tue Mar 16, 2004 10:09 am    Post subject: Reply with quote

I can answer myself: making $smarty->config secure by default is not an option, this would expose the whole config-file to (untrusted) template-editors.

But I am working on a solution that makes $smarty->config only secure for config-load.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
messju
Administrator


Joined: 16 Apr 2003
Posts: 3336
Location: Oldenburg, Germany

PostPosted: Tue Mar 23, 2004 9:53 am    Post subject: Reply with quote

I committed a fix to the bug you reported above.
$smarty->config_dir is considered a secure dir for config_load() now.
thanks for finding this one!
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Bugs All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP