Smarty Forum Index Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon.

how to avoid user from viewing my template files
Goto page 1, 2  Next
 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Tips and Tricks
View previous topic :: View next topic  
Author Message
hook
Smarty n00b


Joined: 26 May 2005
Posts: 3

PostPosted: Mon Jun 06, 2005 8:12 am    Post subject: how to avoid user from viewing my template files Reply with quote

if some one type: http://my.url/doc/templates/index.tpl, he can directly view or download the template. can some one tell me how to avoid this kind of thing from happing.
thank u.
BTW, I can only store my templates in WWW folder.
Back to top
View user's profile Send private message
mohrt
Administrator


Joined: 16 Apr 2003
Posts: 7368
Location: Lincoln Nebraska, USA

PostPosted: Mon Jun 06, 2005 2:07 pm    Post subject: Reply with quote

If you are using Apache, you can set an htaccess directive (see the Apache docs.)
Back to top
View user's profile Send private message Visit poster's website
scuzzy
Smarty Regular


Joined: 31 Aug 2003
Posts: 84

PostPosted: Fri Jun 10, 2005 12:41 am    Post subject: Reply with quote

This is what I use in my .htacess file
Code:
<Files ~ "\.(tpl|inc|cfg)$">
order deny,allow
deny from all
</files>
Back to top
View user's profile Send private message Visit poster's website
hook
Smarty n00b


Joined: 26 May 2005
Posts: 3

PostPosted: Mon Jun 13, 2005 5:06 pm    Post subject: Reply with quote

if some host could not support the haccess.conf method? how can I do
Back to top
View user's profile Send private message
kills
Smarty Elite


Joined: 28 May 2004
Posts: 493

PostPosted: Mon Jun 13, 2005 6:15 pm    Post subject: Reply with quote

hook wrote:
if some host could not support the haccess.conf method? how can I do


Hi

save your templates outside of the documentroot...

Bye,
Markus
Back to top
View user's profile Send private message
mohrt
Administrator


Joined: 16 Apr 2003
Posts: 7368
Location: Lincoln Nebraska, USA

PostPosted: Mon Jun 13, 2005 6:23 pm    Post subject: Reply with quote

hook wrote:
if some host could not support the haccess.conf method? how can I do


If you can't put your files outside of docroot and you can't use the web server access features, then you will have to do some file permission tricks (if that is even feasible) or rely on filename obscurity.
Back to top
View user's profile Send private message Visit poster's website
boon
Smarty n00b


Joined: 21 Jun 2005
Posts: 2

PostPosted: Fri Jun 24, 2005 4:52 am    Post subject: Re: how to avoid user from viewing my template files Reply with quote

hook wrote:
if some one type: http://my.url/doc/templates/index.tpl, he can directly view or download the template. can some one tell me how to avoid this kind of thing from happing.
thank u.
BTW, I can only store my templates in WWW folder.


Hi hook,

change your .tpl to .php, everything through the parser. then you do not have to worry and care abt how to protect your .tpl (any extension other than .php).

Cheers.
Back to top
View user's profile Send private message
boots
Administrator


Joined: 16 Apr 2003
Posts: 5611
Location: Toronto, Canada

PostPosted: Fri Jun 24, 2005 5:07 am    Post subject: Reply with quote

@boon: hmmm. It seems to me that that oughtn't work. PHP passes non <?php ... ?> blocks and returns them as clear text.
Back to top
View user's profile Send private message
saerdna
Smarty Rookie


Joined: 12 Dec 2004
Posts: 20
Location: Linköping, Sweden

PostPosted: Fri Jul 08, 2005 6:56 pm    Post subject: Reply with quote

just save the template files outside the public_html dir..
Back to top
View user's profile Send private message Visit poster's website
Dinges
Smarty n00b


Joined: 09 Jul 2005
Posts: 2

PostPosted: Sat Jul 09, 2005 2:45 pm    Post subject: Reply with quote

Put:

Code:
Order Deny,Allow
Deny from all


in .htaccess
Back to top
View user's profile Send private message
saerdna
Smarty Rookie


Joined: 12 Dec 2004
Posts: 20
Location: Linköping, Sweden

PostPosted: Sun Jul 10, 2005 10:25 pm    Post subject: Reply with quote

don't listen to anyone but me, put the files outside public_html.
Back to top
View user's profile Send private message Visit poster's website
kaotic
Smarty Rookie


Joined: 29 Jul 2005
Posts: 14

PostPosted: Thu Aug 11, 2005 1:16 am    Post subject: Reply with quote

saerdna wrote:
don't listen to anyone but me, put the files outside public_html.

hook wrote:
BTW, I can only store my templates in WWW folder.


I think your best option is to not use index.tpl use somthing else that the user dosent know of then in order for them to view your template they first have to guess what its name is.
_________________
//Brandon
Back to top
View user's profile Send private message
mocara
Smarty Rookie


Joined: 11 Aug 2005
Posts: 5

PostPosted: Thu Aug 11, 2005 11:22 am    Post subject: Reply with quote

Security through obscurity is a bad idea. Lock down your files using .htacces don't count on just changing a file name. What if you host enables directory browsing?
Back to top
View user's profile Send private message
scuzzy
Smarty Regular


Joined: 31 Aug 2003
Posts: 84

PostPosted: Thu Aug 11, 2005 11:35 pm    Post subject: Reply with quote

mocara wrote:
Security through obscurity is a bad idea. Lock down your files using .htacces don't count on just changing a file name. What if you host enables directory browsing?
Well if your host did that and you can't use a .htacces file to prevent directory indexing, you sure ain't going to beable to then use it to prevent access to your templates Smile
Back to top
View user's profile Send private message Visit poster's website
boots
Administrator


Joined: 16 Apr 2003
Posts: 5611
Location: Toronto, Canada

PostPosted: Fri Aug 12, 2005 12:27 am    Post subject: Reply with quote

Okay, I'll sum the thread up since it seems to be going circular...

To prevent public facing access to your templates (in order of suitability):

1) keep the templates out of your webroot (and out of any public ftp roots!)

2) configure your webserver (or web directories) to not serve template files (generally *.tpl)

3) use obscurity in terms of the directory path -- this actually is almost useless

no one mentioned:

4) encrypt your templates and use a pre-filter that unencrypts them. This is a little overkill for most situations.

IMHO, unless you absolutely can't do #1, do #2 -- there is almost no reason you wouldn't be able to. Forget about #3 because it gives a false sense of security when there really isn't any. Only do #4 if your life depends on it.
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Tips and Tricks All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP