Smarty Forum Index Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon.

secure_dir check bug

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Bugs
View previous topic :: View next topic  
Author Message
sagi
Smarty Regular


Joined: 30 Jul 2003
Posts: 43

PostPosted: Sun Apr 04, 2004 11:09 am    Post subject: secure_dir check bug Reply with quote

I'm using Smarty with $security enabled

In core.is_secure.php:37 you use is_readable() to check if the directory is readable.

But the directory doesn't need to be readable to be secure - in many setups the web server user has just execute permission to the site directories and not read permission (so it cant list the files).

Obviously this is causing smarty to not function properly in such environment.
Back to top
View user's profile Send private message
messju
Administrator


Joined: 16 Apr 2003
Posts: 3336
Location: Oldenburg, Germany

PostPosted: Mon Apr 12, 2004 12:21 pm    Post subject: Reply with quote

fixed in CVS. thanks for pointing this out! please test.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
boots
Administrator


Joined: 16 Apr 2003
Posts: 5611
Location: Toronto, Canada

PostPosted: Mon Apr 12, 2004 10:06 pm    Post subject: Reply with quote

I kind of think this is bad.

If secure_dir is meant for trusted templates, then the policy should be that the templates are both reachable and that the directory is browsable. Otherwise, reflection issues become very difficult.

All-in-all, I think that "secure_dir" is way too overloaded at present.
Back to top
View user's profile Send private message
messju
Administrator


Joined: 16 Apr 2003
Posts: 3336
Location: Oldenburg, Germany

PostPosted: Tue Apr 13, 2004 6:11 am    Post subject: Reply with quote

boots: I don't see your point here. keep your dirs browsable and be fine.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Bugs All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP