Smarty Forum Index Smarty
The discussions here are for Smarty, a template engine for the PHP programming language.
disable Exception escapement introduced in 3.1.13

 
Post new topic   Reply to topic    Smarty Forum Index -> Bugs
View previous topic :: View next topic  
Author Message
Aristophan
Smarty Regular


Joined: 10 Jan 2011
Posts: 84

PostPosted: Thu Mar 28, 2013 10:44 am    Post subject: disable Exception escapement introduced in 3.1.13 Reply with quote

First I couldn't find out why my fatal testing errors (testing an unknown modifier) could not be unescaped with the new
Code:
SmartyException::$escape = false;
introduced in 3.1.13 by issue #130.

Now I found, the error $message var already be escaped by htmlentities() (at least for SmartyCompilerException errors) when passed to the SmartyException class, this will not work:
Code:
$this->message = self::$escape ? htmlentities($message) : $message;

Leaving the default message escape (for security or unescaped error messages???) it has to be
Code:
$this->message = self::$escape ? htmlentities($message) : html_entity_decode($message);
to work properly.

Could you explain where exactly the security risk was before, so it was needed to escape these fatal error already stringified messages?
Back to top
View user's profile Send private message
U.Tews
Administrator


Joined: 22 Nov 2006
Posts: 4650
Location: Hamburg / Germany

PostPosted: Sat Mar 30, 2013 5:47 pm    Post subject: Reply with quote

Indeed it's a bug that Compiler Exceptions get double escaped.

The security risk was that there was a chance that in certain configuration users could force fatal error messages with inject Java scipt code which got executed.

I will fix the bug of double escaping ASAP
Back to top
View user's profile Send private message
Aristophan
Smarty Regular


Joined: 10 Jan 2011
Posts: 84

PostPosted: Sat Mar 30, 2013 6:26 pm    Post subject: Reply with quote

Hi Uwe

Yes, I have read about these obscure "certain configurations"... but I can't imagine where and how this could happen, while Exception Errors are halted errors, which are source code stringified already (eg. <tag>), and which does not need to be escaped again to avoid parsing or code execution.
If there really was a risc, why do you allow $escape false then?
Could it be described somewhere how to avoid situations where forced code would get executed?
I think having the exception messages unescaped would be much better for the (John Doe) users which get in touch with them.

Regards
Ian
Back to top
View user's profile Send private message
U.Tews
Administrator


Joined: 22 Nov 2006
Posts: 4650
Location: Hamburg / Germany

PostPosted: Fri Apr 05, 2013 10:25 pm    Post subject: Reply with quote

This bug is fixed now in the SVN trunk.

SmartyCompilerException's don't get double escaped any longer.

SmartyException::$escape = false; does now also turn off escaping of SmartyCompilerException's.

This fix will later be included in version 3.1.14
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Smarty Forum Index -> Bugs All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP