Smarty Forum Index Smarty
The discussions here are for Smarty, a template engine for the PHP programming language.

Debug mode doesn't work when security is enabled

 
Post new topic   Reply to topic    Smarty Forum Index -> Bugs
View previous topic :: View next topic  
Author Message
appel
Smarty Rookie


Joined: 27 May 2003
Posts: 29

PostPosted: Wed May 28, 2003 9:40 am    Post subject: Debug mode doesn't work when security is enabled Reply with quote

$smarty->debugging = true;
$smarty->security = true;

produces this warning:

Warning: Smarty error: (secure mode) accessing "file:/usr/local/share/smarty/debug.tpl" is not allowed in /usr/local/share/smarty/Smarty.class.php on line 999
Back to top
View user's profile Send private message
messju
Administrator


Joined: 16 Apr 2003
Posts: 3336
Location: Oldenburg, Germany

PostPosted: Wed May 28, 2003 2:46 pm    Post subject: Reply with quote

you have to assign $smarty->debug_tpl to a template that is in a directory in the list of your secure-dirs ($smarty->secure_dir), or you have to append "/usr/local/share/smarty" to your list of secure dirs.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
mohrt
Administrator


Joined: 16 Apr 2003
Posts: 7366
Location: Lincoln Nebraska, USA

PostPosted: Wed May 28, 2003 7:40 pm    Post subject: Reply with quote

This is a bug, the debug.tpl file should work by default. This has been fixed in CVS.
Back to top
View user's profile Send private message Visit poster's website
boots
Administrator


Joined: 16 Apr 2003
Posts: 5611
Location: Toronto, Canada

PostPosted: Wed May 28, 2003 11:47 pm    Post subject: Reply with quote

I don't think the debug template should be accessible from security mode since debug information can potentially provide insecure details.
Back to top
View user's profile Send private message
sweatje
Smarty Regular


Joined: 17 Apr 2003
Posts: 70
Location: Bettendorf, Iowa, USA

PostPosted: Thu May 29, 2003 1:16 am    Post subject: Reply with quote

boots wrote:
I don't think the debug template should be accessible from security mode since debug information can potentially provide insecure details.

Interesting notion...is there anything in the debugging template itself that would not be allowed by safe mode? If so, what is to prevent the user from just placing a copy of the debug template in their working directory?

I don't use safe mode personally, so it is more just curiosity Smile
_________________
Jason
jsweat_php AT yahoo DOT com
Back to top
View user's profile Send private message
mohrt
Administrator


Joined: 16 Apr 2003
Posts: 7366
Location: Lincoln Nebraska, USA

PostPosted: Thu May 29, 2003 3:00 am    Post subject: Reply with quote

Whatever file is given as the $debug_tpl is assumed to be safe in secure mode. This way you don't get errors when it doesn't reside in your template_dir, which is typically the case.

Monte
Back to top
View user's profile Send private message Visit poster's website
boots
Administrator


Joined: 16 Apr 2003
Posts: 5611
Location: Toronto, Canada

PostPosted: Thu May 29, 2003 3:02 am    Post subject: Reply with quote

I think my point is that if the debug template isn't already reachable, then it shouldn't be automagically included. When using secure mode there are two avenues to do this: add the debug template to the template directory or add a reference to the debug template directory to your secure dirs. Failing to do that suggests either that you don't want debug functionality or that you don't need security.

In my mind the security context should be explicit so that people who are fanatical about security can be assured that only exactly what they specify makes it through.

Quote:
If so, what is to prevent the user from just placing a copy of the debug template in their working directory?


I didn't mean that you wouldn't allow some form of a debug template to run, but it would have to be specific to that security setting and live in a secure directory.

hope that makes sense Smile
Back to top
View user's profile Send private message
mohrt
Administrator


Joined: 16 Apr 2003
Posts: 7366
Location: Lincoln Nebraska, USA

PostPosted: Thu May 29, 2003 3:05 am    Post subject: Reply with quote

I suppose there are many ways to analyze how it should work Smile But historically the $debug_tpl is always secure regarless of its location (BTW, you can give specific files in $secure_dir, not just directories so this doesn't open up your entire SMARTY_DIR if that's what you're thinking.) It was broken somewhere along the way, and now its fixed.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Smarty Forum Index -> Bugs All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP