|
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
View previous topic :: View next topic |
Author |
Message |
Aristophan Smarty Regular
Joined: 10 Jan 2011 Posts: 96
|
Posted: Thu Mar 28, 2013 10:44 am Post subject: disable Exception escapement introduced in 3.1.13 |
|
|
First I couldn't find out why my fatal testing errors (testing an unknown modifier) could not be unescaped with the new Code: | SmartyException::$escape = false; | introduced in 3.1.13 by issue #130.
Now I found, the error $message var already be escaped by htmlentities() (at least for SmartyCompilerException errors) when passed to the SmartyException class, this will not work:
Code: | $this->message = self::$escape ? htmlentities($message) : $message; |
Leaving the default message escape (for security or unescaped error messages???) it has to be
Code: | $this->message = self::$escape ? htmlentities($message) : html_entity_decode($message); | to work properly.
Could you explain where exactly the security risk was before, so it was needed to escape these fatal error already stringified messages? |
|
Back to top |
|
U.Tews Administrator
Joined: 22 Nov 2006 Posts: 5068 Location: Hamburg / Germany
|
Posted: Sat Mar 30, 2013 5:47 pm Post subject: |
|
|
Indeed it's a bug that Compiler Exceptions get double escaped.
The security risk was that there was a chance that in certain configuration users could force fatal error messages with inject Java scipt code which got executed.
I will fix the bug of double escaping ASAP |
|
Back to top |
|
Aristophan Smarty Regular
Joined: 10 Jan 2011 Posts: 96
|
Posted: Sat Mar 30, 2013 6:26 pm Post subject: |
|
|
Hi Uwe
Yes, I have read about these obscure "certain configurations"... but I can't imagine where and how this could happen, while Exception Errors are halted errors, which are source code stringified already (eg. <tag>), and which does not need to be escaped again to avoid parsing or code execution.
If there really was a risc, why do you allow $escape false then?
Could it be described somewhere how to avoid situations where forced code would get executed?
I think having the exception messages unescaped would be much better for the (John Doe) users which get in touch with them.
Regards
Ian |
|
Back to top |
|
U.Tews Administrator
Joined: 22 Nov 2006 Posts: 5068 Location: Hamburg / Germany
|
Posted: Fri Apr 05, 2013 10:25 pm Post subject: |
|
|
This bug is fixed now in the SVN trunk.
SmartyCompilerException's don't get double escaped any longer.
SmartyException::$escape = false; does now also turn off escaping of SmartyCompilerException's.
This fix will later be included in version 3.1.14 |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|