| View previous topic :: View next topic |
| Author |
Message |
sm@rty
Smarty Regular
Joined: 01 Oct 2014
Posts: 65
|
 Posted: Mon Dec 29, 2014 4:25 pm Post subject: how to prevent access $smarty in template? |
 |
|
hi
how to prevent access $smarty in template? (or delete $smarty)
for example :
If user use the code below
To the user error is displayed.
-------------------------------------------
the text is translated by google  |
|
| Back to top |
|
U.Tews
Administrator
Joined: 22 Nov 2006
Posts: 5068
Location: Hamburg / Germany
|
| Posted: Mon Dec 29, 2014 4:48 pm Post subject: |
|
|
The access of the special $smarty variables can not be disabled.
Why do you need it? |
|
| Back to top |
|
sm@rty
Smarty Regular
Joined: 01 Oct 2014
Posts: 65
|
| Posted: Mon Dec 29, 2014 5:22 pm Post subject: |
|
|
thanks for reply.
i using smarty for users and any user can change own template.
for example :
| Code: |
$smarty->display('eval:'.get_template($user_id));
|
i not want the user see information of system such as path or etc...
for example :
| Code: |
{print_r($smarty.template_object)}
|
output :
| Code: |
Smarty_Internal_Template Object
(
[cache_id] =>
[compile_id] => 3
[caching] =>
[cache_lifetime] => 3600
[template_resource] => eval:{print_r( $smarty.template_object)}
[mustCompile] =>
[has_nocache_code] =>
[properties] => Array
(
[file_dependency] => Array
(
)
[nocache_hash] => 1271454a18b579ee002-82575054
[function] => Array
(
)
[has_nocache_code] =>
[version] => Smarty-3.1.21-dev
[unifunc] => content_54a18b57a30f28_03222694
)
[required_plugins] => Array
(
[compiled] => Array
(
)
[nocache] => Array
(
)
)
[smarty] => Smarty Object
(
[auto_literal] => 1
[error_unassigned] =>
[use_include_path] =>
[template_dir:Smarty:private] => Array
(
[0] => C:/xampp _5.6.3/htdocs/***/inc/classes/smarty/data/template\
)
...
|
this may be dangrous !
my smarty security config :
| Code: |
set_time_limit(5); //prevent ddos attack
$smarty->compile_id = $user_id;
$smarty->caching = false;
$smartySecurity = new Smarty_Security($smarty);
$smartySecurity->php_handling = Smarty::PHP_PASSTHRU;
$smartySecurity->secure_dir = array();
$smartySecurity->trusted_dir = array();
$smartySecurity->trusted_uri = array();
$smartySecurity->static_classes = array();
$smartySecurity->php_functions = $ALLOW_FUNCTIONS_ROOT;
$smartySecurity->php_modifiers = $ALLOW_MODIFIERES_ROOT;
$smartySecurity->allowed_modifiers = array();
$smartySecurity->disabled_modifiers = array('regex_replace'); //prevent ddos attack
$smartySecurity->allowed_tags = array();
$smartySecurity->disabled_tags = array('config_load','include','include','include_php','eval');
$smartySecurity->allow_constants = false;
$smartySecurity->allow_super_globals = false;
$smartySecurity->allow_php_tag = false;
$smarty->enableSecurity($smartySecurity);
|
this config is safe ? |
|
| Back to top |
|
U.Tews
Administrator
Joined: 22 Nov 2006
Posts: 5068
Location: Hamburg / Germany
|
| Posted: Mon Dec 29, 2014 6:58 pm Post subject: |
|
|
Disable all special Smarty variables would be a bad idea because you may need some of them in {foreach}, {section} and other tags.
But i agree that being able to disabled some of them by security setting would be a very good idea.
I will try to include this feature in the 3.1.22 release. |
|
| Back to top |
|
sm@rty
Smarty Regular
Joined: 01 Oct 2014
Posts: 65
|
| Posted: Mon Dec 29, 2014 7:39 pm Post subject: |
|
|
thanks for reply.
i'll wait for version release 3.1.22.
Honorable U.Tews please thinking about bellow ideas (for security) :
1. limitation loop count in tags {for,while,foreach} //for dos-ddos attack
2. any information of system then help to attacker for attack must be disabled (such as $smarty.template_object)
3. check any php functions such as preg_match (ReDos attack) and etc .. maybe dangerous.
4. limitation memory usage such as assign variable and etc (maybe attacker using very memory)
5. limitation count assign variable (like memory usage)
6. recursive function limited or unlimited
Last edited by sm@rty on Wed Dec 31, 2014 10:11 am; edited 2 times in total |
|
| Back to top |
|
AnrDaemon
Administrator
Joined: 03 Dec 2012
Posts: 1785
|
| Posted: Tue Dec 30, 2014 12:37 am Post subject: |
|
|
| You can do much of it with preprocessing filters, I think. |
|
| Back to top |
|
sm@rty
Smarty Regular
Joined: 01 Oct 2014
Posts: 65
|
| Posted: Tue Dec 30, 2014 6:11 pm Post subject: |
|
|
| AnrDaemon wrote: | | You can do much of it with preprocessing filters, I think. |
no this way not enough !
for example in below code :
| Code: |
{for $foo=1 to rand(1,rand(9,rand(1,5)))}
<p>{$foo}</p>
{/for}
|
do you can in the above code limited usage memory ? or preventing recursive functions for ddos attack ?
Fortunately, php have a function called "set_time_limit".
but the by using "prefilter" for search $smarty in template and replace with empty string or show error ! also this way can be direct effect in performance. |
|
| Back to top |
|
AnrDaemon
Administrator
Joined: 03 Dec 2012
Posts: 1785
|
| Posted: Tue Dec 30, 2014 9:27 pm Post subject: |
|
|
| This is basically a case of including PHP code into templates. Should not be allowed. At all. |
|
| Back to top |
|
AnrDaemon
Administrator
Joined: 03 Dec 2012
Posts: 1785
|
| Posted: Tue Dec 30, 2014 9:31 pm Post subject: |
|
|
| sm@rty wrote: | for example in below code :
| Code: |
{for $foo=1 to rand(1,rand(9,rand(1,5)))}
<p>{$foo}</p>
{/for}
|
|
This is basically a case of including PHP code into templates. Should not be allowed at all. Unconditionally.
| Quote: | do you can in the above code limited usage memory ? or preventing recursive functions for ddos attack ?
Fortunately, php have a function called "set_time_limit". |
TTTT, you are trying to solve poor design with questionable restrictions.
Please tell us more about your use-case. What exactly you are trying to achieve by allowing your users a full power of Smarty template engine?
| Quote: | | but the by using "prefilter" for search $smarty in template and replace with empty string or show error ! also this way can be direct effect in performance. |
No. Prefilter is run before compiled template is saved to disk. (I.e. it is run only once, and is part of compilation process.) |
|
| Back to top |
|
sm@rty
Smarty Regular
Joined: 01 Oct 2014
Posts: 65
|
| Posted: Wed Dec 31, 2014 9:59 am Post subject: |
|
|
| Quote: | | TTTT, you are trying to solve poor design with questionable restrictions. |
i don't catch your mean.
| Quote: | This is basically a case of including PHP code into templates. Should not be allowed at all. Unconditionally.
Please tell us more about your use-case. What exactly you are trying to achieve by allowing your users a full power of Smarty template engine? |
all my question does not mean the smarty is not powerful !
smarty is very very very powerful and flexible. i have no doubt !
but !
i am makin new website. this is a new Ideas.
anything the can help be my Ideas is very good and me use this.
project smarty is one of them but this project for my Ideas not complete.
but smarty can be improve.
smarty users can be help smarty for improve with own ideas.
i am a smarty user and me express ideas. |
|
| Back to top |
|
U.Tews
Administrator
Joined: 22 Nov 2006
Posts: 5068
Location: Hamburg / Germany
|
| Posted: Wed Dec 31, 2014 10:56 am Post subject: |
|
|
The following security extensions can already be found on
https://github.com/smarty-php/smarty
Security
========
- disable special $smarty variable -
The Smarty_Security class has the new property $disabled_special_smarty_vars.
It's an array which can be loaded with the $smarty special variable names like
'template_object', 'template', 'current_dir' and others which will be disabled.
Note: That this security check is performed at compile time.
- limit template nesting -
Property $max_template_nesting of Smarty_Security does set the maximum template nesting level.
The main template is level 1. The nesting level is checked at run time. When the maximum will be exceeded
an Exception will be thrown. The default setting is 0 which does disable this check. |
|
| Back to top |
|
sm@rty
Smarty Regular
Joined: 01 Oct 2014
Posts: 65
|
| Posted: Wed Dec 31, 2014 11:55 am Post subject: |
|
|
wow !!
thanks. |
|
| Back to top |
|
AnrDaemon
Administrator
Joined: 03 Dec 2012
Posts: 1785
|
| Posted: Wed Dec 31, 2014 5:17 pm Post subject: |
|
|
| sm@rty wrote: | | Quote: | | TTTT, you are trying to solve poor design with questionable restrictions. |
i don't catch your mean.
| Quote: | This is basically a case of including PHP code into templates. Should not be allowed at all. Unconditionally.
Please tell us more about your use-case. What exactly you are trying to achieve by allowing your users a full power of Smarty template engine? |
all my question does not mean the smarty is not powerful !
smarty is very very very powerful and flexible. i have no doubt !
but !
i am makin new website. this is a new Ideas.
anything the can help be my Ideas is very good and me use this.
project smarty is one of them but this project for my Ideas not complete.
but smarty can be improve.
smarty users can be help smarty for improve with own ideas.
i am a smarty user and me express ideas. |
Ok, I'll ask different question: what is your native language? |
|
| Back to top |
|
sm@rty
Smarty Regular
Joined: 01 Oct 2014
Posts: 65
|
| Posted: Wed Dec 31, 2014 9:08 pm Post subject: |
|
|
my native language is persian(farsi).
my translator Not available.
why ?
Last edited by sm@rty on Thu Jan 01, 2015 7:57 am; edited 2 times in total |
|
| Back to top |
|
AnrDaemon
Administrator
Joined: 03 Dec 2012
Posts: 1785
|
| Posted: Thu Jan 01, 2015 1:02 am Post subject: |
|
|
It was rather obvious that english is not your native language, and that you do not understand even half of what we are trying to tell you.
Though, if it is one of the languages I know, I can explain better.
But simple idea is that you do not need to expose Smarty to your end-users. "New idea" only sounds good. In truth, all your "new ideas" are rather old and proved impractical long ago. |
|
| Back to top |
|
|
