View previous topic :: View next topic |
Author |
Message |
hook Smarty n00b
Joined: 26 May 2005 Posts: 3
|
Posted: Mon Jun 06, 2005 8:12 am Post subject: how to avoid user from viewing my template files |
|
|
if some one type: http://my.url/doc/templates/index.tpl, he can directly view or download the template. can some one tell me how to avoid this kind of thing from happing.
thank u.
BTW, I can only store my templates in WWW folder. |
|
Back to top |
|
mohrt Administrator
Joined: 16 Apr 2003 Posts: 7368 Location: Lincoln Nebraska, USA
|
Posted: Mon Jun 06, 2005 2:07 pm Post subject: |
|
|
If you are using Apache, you can set an htaccess directive (see the Apache docs.) |
|
Back to top |
|
scuzzy Smarty Regular
Joined: 31 Aug 2003 Posts: 84
|
Posted: Fri Jun 10, 2005 12:41 am Post subject: |
|
|
This is what I use in my .htacess file Code: | <Files ~ "\.(tpl|inc|cfg)$">
order deny,allow
deny from all
</files> |
|
|
Back to top |
|
hook Smarty n00b
Joined: 26 May 2005 Posts: 3
|
Posted: Mon Jun 13, 2005 5:06 pm Post subject: |
|
|
if some host could not support the haccess.conf method? how can I do |
|
Back to top |
|
kills Smarty Elite
Joined: 28 May 2004 Posts: 493
|
Posted: Mon Jun 13, 2005 6:15 pm Post subject: |
|
|
hook wrote: | if some host could not support the haccess.conf method? how can I do |
Hi
save your templates outside of the documentroot...
Bye,
Markus |
|
Back to top |
|
mohrt Administrator
Joined: 16 Apr 2003 Posts: 7368 Location: Lincoln Nebraska, USA
|
Posted: Mon Jun 13, 2005 6:23 pm Post subject: |
|
|
hook wrote: | if some host could not support the haccess.conf method? how can I do |
If you can't put your files outside of docroot and you can't use the web server access features, then you will have to do some file permission tricks (if that is even feasible) or rely on filename obscurity. |
|
Back to top |
|
boon Smarty n00b
Joined: 21 Jun 2005 Posts: 2
|
Posted: Fri Jun 24, 2005 4:52 am Post subject: Re: how to avoid user from viewing my template files |
|
|
hook wrote: | if some one type: http://my.url/doc/templates/index.tpl, he can directly view or download the template. can some one tell me how to avoid this kind of thing from happing.
thank u.
BTW, I can only store my templates in WWW folder. |
Hi hook,
change your .tpl to .php, everything through the parser. then you do not have to worry and care abt how to protect your .tpl (any extension other than .php).
Cheers. |
|
Back to top |
|
boots Administrator
Joined: 16 Apr 2003 Posts: 5611 Location: Toronto, Canada
|
Posted: Fri Jun 24, 2005 5:07 am Post subject: |
|
|
@boon: hmmm. It seems to me that that oughtn't work. PHP passes non <?php ... ?> blocks and returns them as clear text. |
|
Back to top |
|
saerdna Smarty Rookie
Joined: 12 Dec 2004 Posts: 20 Location: Linköping, Sweden
|
Posted: Fri Jul 08, 2005 6:56 pm Post subject: |
|
|
just save the template files outside the public_html dir.. |
|
Back to top |
|
Dinges Smarty n00b
Joined: 09 Jul 2005 Posts: 2
|
Posted: Sat Jul 09, 2005 2:45 pm Post subject: |
|
|
Put:
Code: | Order Deny,Allow
Deny from all |
in .htaccess |
|
Back to top |
|
saerdna Smarty Rookie
Joined: 12 Dec 2004 Posts: 20 Location: Linköping, Sweden
|
Posted: Sun Jul 10, 2005 10:25 pm Post subject: |
|
|
don't listen to anyone but me, put the files outside public_html. |
|
Back to top |
|
kaotic Smarty Rookie
Joined: 29 Jul 2005 Posts: 14
|
Posted: Thu Aug 11, 2005 1:16 am Post subject: |
|
|
saerdna wrote: | don't listen to anyone but me, put the files outside public_html. |
hook wrote: | BTW, I can only store my templates in WWW folder. |
I think your best option is to not use index.tpl use somthing else that the user dosent know of then in order for them to view your template they first have to guess what its name is. _________________ //Brandon |
|
Back to top |
|
mocara Smarty Rookie
Joined: 11 Aug 2005 Posts: 5
|
Posted: Thu Aug 11, 2005 11:22 am Post subject: |
|
|
Security through obscurity is a bad idea. Lock down your files using .htacces don't count on just changing a file name. What if you host enables directory browsing? |
|
Back to top |
|
scuzzy Smarty Regular
Joined: 31 Aug 2003 Posts: 84
|
Posted: Thu Aug 11, 2005 11:35 pm Post subject: |
|
|
mocara wrote: | Security through obscurity is a bad idea. Lock down your files using .htacces don't count on just changing a file name. What if you host enables directory browsing? | Well if your host did that and you can't use a .htacces file to prevent directory indexing, you sure ain't going to beable to then use it to prevent access to your templates |
|
Back to top |
|
boots Administrator
Joined: 16 Apr 2003 Posts: 5611 Location: Toronto, Canada
|
Posted: Fri Aug 12, 2005 12:27 am Post subject: |
|
|
Okay, I'll sum the thread up since it seems to be going circular...
To prevent public facing access to your templates (in order of suitability):
1) keep the templates out of your webroot (and out of any public ftp roots!)
2) configure your webserver (or web directories) to not serve template files (generally *.tpl)
3) use obscurity in terms of the directory path -- this actually is almost useless
no one mentioned:
4) encrypt your templates and use a pre-filter that unencrypts them. This is a little overkill for most situations.
IMHO, unless you absolutely can't do #1, do #2 -- there is almost no reason you wouldn't be able to. Forget about #3 because it gives a false sense of security when there really isn't any. Only do #4 if your life depends on it. |
|
Back to top |
|
|