|
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
View previous topic :: View next topic |
Author |
Message |
bimal Smarty Elite
Joined: 19 Apr 2007 Posts: 423
|
Posted: Wed Jun 10, 2009 7:10 pm Post subject: Smarty temlpating differs from others |
|
|
Here are few points I stay with Smarty.
I have reviewed a lot of applications that come up with a kind of templating engine in their application. Finally, in security point of view, I loved Smarty.
These templates are perfectly safe, in many way.
However bigger sofware like Magento have their poor organization in template engines.
Reason One
Any one who releases a free template can voluntarilty inject unsafe code to steal things from the user's computers. And, it is not easy to avoid this, because, every template is a crude php script. Downloaded templates are always better to suspect, if data safety is a big concern.
Reason Two
Because of the <?php and ?> tags, we can not easily read the contents within these blocks in visual editors. It makes harder to produce a new template for these sofware.
Smarty too has a defect of allowing {php} and {/php} tags. But we can carefully find/disallow in a downloaded template. Sometimes, modifying a very small script in Smarty, we can disable parsing {php} tags. Because, this tags are not so common in a template, and are easy to test for vulnerable codes. While, Magento like system compulsorily uses <?php and ?>. So, finding out a badly written script out of this junk is harder.
I now trust, that tools written in Smarty as much safer in cummunity interactivity. |
|
Back to top |
|
mohrt Administrator
Joined: 16 Apr 2003 Posts: 7368 Location: Lincoln Nebraska, USA
|
Posted: Thu Jun 11, 2009 3:21 pm Post subject: |
|
|
FYI, $smarty->security = true does not allow {php} tags. |
|
Back to top |
|
bimal Smarty Elite
Joined: 19 Apr 2007 Posts: 423
|
Posted: Thu Jun 11, 2009 5:39 pm Post subject: More security checks we need |
|
|
Hi Mohrt,
Thanks for this tip.
(We normally do not readout all the source codes, and these tips can become veryuseful).
Yet, we need to control few issues with:
{'badfile.php'|include} which is UNSAFE.
{include file='badfile.php'} has a different purpose, and we can consider this safe.
Poperly mis-written scripts can again become more serious issue:
{'config.php'|readfile} => This is very much dangerous, and can expose almost any settings / passwords.
Is there any work done already on this?
Or, we must consider this feature a vulnerable thing in Smarty? |
|
Back to top |
|
mohrt Administrator
Joined: 16 Apr 2003 Posts: 7368 Location: Lincoln Nebraska, USA
|
Posted: Thu Jun 11, 2009 7:16 pm Post subject: |
|
|
Please read the documentation on Smarty security. In secure mode, you cannot include anything but other templates, or things from the trusted directory. You are also not permitted to use modifiers not in the access list. |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|