Smarty Forum Index Smarty
The discussions here are for Smarty, a template engine for the PHP programming language.

SmartyValidate Security Issues

 
Post new topic   Reply to topic    Smarty Forum Index -> Add-ons
View previous topic :: View next topic  
Author Message
B00zy
Smarty Rookie


Joined: 19 Jul 2004
Posts: 12

PostPosted: Mon Jul 19, 2004 5:54 pm    Post subject: SmartyValidate Security Issues Reply with quote

Wouldn't it be possible for an attacker to avoid SmartyValidate by simply not loading the page containing the {validate} tags and submitting the POST vars without ever calling that page? SmartyValidate::is_valid() would eval to true since it has nothing to compare against.
Back to top
View user's profile Send private message
boots
Administrator


Joined: 16 Apr 2003
Posts: 5611
Location: Toronto, Canada

PostPosted: Mon Jul 19, 2004 6:14 pm    Post subject: Reply with quote

This has been pointed out already but it is worthwhile repeating. I don't think SmartyValidate is intended (in its present form) as a full coverage valdiation mechanism (nor is validation alone equivalent to security).

As it is, SmartyValidate merely supports form processing during the presentation layer and that is basically all. Developers must still ensure proper validation of received inputs when processing outside of templates (ie. from scripts) and must still use typical precautions and security measures.

Monte has recently proposed moving the criteria validation definitions to the calling PHP script which would definately help in terms of providing more robust validation handling.

In short, my opinion is: SmartyValidate, as it stands, can help your presentation layer provide suitable messages to your user to guide form filling but probably should not be used on its own as a trusted mechanism to ensure data consistency or authenticity.
Back to top
View user's profile Send private message
B00zy
Smarty Rookie


Joined: 19 Jul 2004
Posts: 12

PostPosted: Mon Jul 19, 2004 7:06 pm    Post subject: Fix Reply with quote

OK, so after considering this for a while here is a working solution I've come up with.

Code:

if (count($_POST)) {
   /* SmartyValidate should be PRE-loaded, otherwise
      an attacker could simply submit the post vars without
      ever accepting a session. Display profile_validate.tpl once
      so that the validation tags are all registered. */

   $smarty->display('profile_validate.tpl');
   /* SmartyValidate::is_valid() now has something to work with */
   if (SmartyValidate::is_valid($_POST)) {
      /* It's valid */
   } else {
      /* It's necessary to display this twice because the first
      time the SmartyValidate::is_valid hadn't been called yet. */
      $smarty->display('profile_validate.tpl');
   }
}
$smarty->display('profile.tpl');


and here is profile_validate.tpl:

Code:

{capture name="error"}

<div id="error">

{validate field="name" criteria="notEmpty" trim="yes" message="Name cannot be empty"}
{validate field="name" criteria="isLength" trim="yes" min="3" max="10" message="Name must be between 3 and 10 characters long"}
{validate field="name" criteria="isRegExp" trim="yes" expression="!^\w+$!" message="Name must be composed of only letters [A-Z], numbers [0-9], or the underscore character _"}

</div>

{/capture}


Wherever you would like the errors to be displayed in profile.tpl, add {$smarty.capture.error} to the template.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Smarty Forum Index -> Add-ons All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP