View previous topic :: View next topic |
Author |
Message |
sm@rty Smarty Regular
Joined: 01 Oct 2014 Posts: 65
|
Posted: Sun Mar 15, 2015 3:36 pm Post subject: allow_constants not working ! |
|
|
hi
i set $smartySecurity->allow_constants = false;
but not working and can be accessed by the template !
better way using white list.
for example :
$smartySecurity->allow_constants = array('ENT_QUOTES'); |
|
Back to top |
|
U.Tews Administrator
Joined: 22 Nov 2006 Posts: 5068 Location: Hamburg / Germany
|
Posted: Sun Mar 15, 2015 11:36 pm Post subject: |
|
|
Security->allow_constants does control access of the special $smarty variable {$smarty.const. ....}
I will put a the white list on the wish list. |
|
Back to top |
|
sm@rty Smarty Regular
Joined: 01 Oct 2014 Posts: 65
|
Posted: Mon Mar 16, 2015 8:14 am Post subject: |
|
|
so how can i prevent access directly to constant in smarty.
for example :
php
Code: | <?php
define('test',1);
?> |
smarty(security is enable)
output : 1 |
|
Back to top |
|
AnrDaemon Administrator
Joined: 03 Dec 2012 Posts: 1785
|
Posted: Mon Mar 16, 2015 1:49 pm Post subject: |
|
|
Why do you want to do it, in first place? |
|
Back to top |
|
sm@rty Smarty Regular
Joined: 01 Oct 2014 Posts: 65
|
Posted: Mon Mar 16, 2015 3:52 pm Post subject: |
|
|
because Wearers of smarty are users and no admin.
so all password or username or etc ... is define in constant. |
|
Back to top |
|
AnrDaemon Administrator
Joined: 03 Dec 2012 Posts: 1785
|
Posted: Mon Mar 16, 2015 4:14 pm Post subject: |
|
|
|
|
Back to top |
|
sm@rty Smarty Regular
Joined: 01 Oct 2014 Posts: 65
|
Posted: Mon Mar 16, 2015 5:07 pm Post subject: |
|
|
with example :
php
Code: | define('MYSQL_PASSWORD','my_password'); |
smarty
Code: | {MYSQL_PASSWORD nocache} |
output : my_password
how i can prevent access user to this constant ? |
|
Back to top |
|
AnrDaemon Administrator
Joined: 03 Dec 2012 Posts: 1785
|
Posted: Mon Mar 16, 2015 8:54 pm Post subject: |
|
|
Why EVER your MySQL password is defined as a constant? Are you insane? |
|
Back to top |
|
U.Tews Administrator
Joined: 22 Nov 2006 Posts: 5068 Location: Hamburg / Germany
|
Posted: Tue Mar 17, 2015 1:33 am Post subject: |
|
|
I totally agree that passwords and other sensitive data should never be defined as constants.
But anyway an update is on Github to disable direct access to defined constants by Smarty_Security->allow_constants=false; |
|
Back to top |
|
sm@rty Smarty Regular
Joined: 01 Oct 2014 Posts: 65
|
Posted: Tue Mar 17, 2015 6:18 am Post subject: |
|
|
Quote: | Why EVER your MySQL password is defined as a constant? Are you insane? |
so wordpress is insane or another system !
http://codex.wordpress.org/Editing_wp-config.php
Code: | I totally agree that passwords and other sensitive data should never be defined as constants. |
you sure ?
Code: | print_r(get_defined_constants()); |
any data is constant. |
|
Back to top |
|
AnrDaemon Administrator
Joined: 03 Dec 2012 Posts: 1785
|
Posted: Tue Mar 17, 2015 2:35 pm Post subject: |
|
|
sm@rty wrote: | Quote: | Why EVER your MySQL password is defined as a constant? Are you insane? |
so wordpress is insane or another system ! |
Wordpress don't let editors write PHP code. Or anything remotely resembling it. That's the only reason they was not bitten by their idiocy. Yet.
Database access password must be set as variable, and unset as soon as database connection is established.
Quote: | Quote: | I totally agree that passwords and other sensitive data should never be defined as constants. |
you sure ? |
Did he not sound sure?
Quote: | Code: | print_r(get_defined_constants()); |
any data is constant. |
What?
http://www.rootdir.org/upload/Smarty/
Here, I put your proposed code right before the data is sent to the client. Please show me anything that is even remotely relevant to security in the list. |
|
Back to top |
|
|