|
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
View previous topic :: View next topic |
Author |
Message |
sagi Smarty Regular
Joined: 30 Jul 2003 Posts: 43
|
Posted: Sun Apr 04, 2004 11:09 am Post subject: secure_dir check bug |
|
|
I'm using Smarty with $security enabled
In core.is_secure.php:37 you use is_readable() to check if the directory is readable.
But the directory doesn't need to be readable to be secure - in many setups the web server user has just execute permission to the site directories and not read permission (so it cant list the files).
Obviously this is causing smarty to not function properly in such environment. |
|
Back to top |
|
messju Administrator
Joined: 16 Apr 2003 Posts: 3336 Location: Oldenburg, Germany
|
Posted: Mon Apr 12, 2004 12:21 pm Post subject: |
|
|
fixed in CVS. thanks for pointing this out! please test. |
|
Back to top |
|
boots Administrator
Joined: 16 Apr 2003 Posts: 5611 Location: Toronto, Canada
|
Posted: Mon Apr 12, 2004 10:06 pm Post subject: |
|
|
I kind of think this is bad.
If secure_dir is meant for trusted templates, then the policy should be that the templates are both reachable and that the directory is browsable. Otherwise, reflection issues become very difficult.
All-in-all, I think that "secure_dir" is way too overloaded at present. |
|
Back to top |
|
messju Administrator
Joined: 16 Apr 2003 Posts: 3336 Location: Oldenburg, Germany
|
Posted: Tue Apr 13, 2004 6:11 am Post subject: |
|
|
boots: I don't see your point here. keep your dirs browsable and be fine. |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|