View previous topic :: View next topic |
Author |
Message |
appel Smarty Rookie
Joined: 27 May 2003 Posts: 29
|
Posted: Wed May 28, 2003 9:40 am Post subject: Debug mode doesn't work when security is enabled |
|
|
$smarty->debugging = true;
$smarty->security = true;
produces this warning:
Warning: Smarty error: (secure mode) accessing "file:/usr/local/share/smarty/debug.tpl" is not allowed in /usr/local/share/smarty/Smarty.class.php on line 999 |
|
Back to top |
|
messju Administrator
Joined: 16 Apr 2003 Posts: 3336 Location: Oldenburg, Germany
|
Posted: Wed May 28, 2003 2:46 pm Post subject: |
|
|
you have to assign $smarty->debug_tpl to a template that is in a directory in the list of your secure-dirs ($smarty->secure_dir), or you have to append "/usr/local/share/smarty" to your list of secure dirs. |
|
Back to top |
|
mohrt Administrator
Joined: 16 Apr 2003 Posts: 7368 Location: Lincoln Nebraska, USA
|
Posted: Wed May 28, 2003 7:40 pm Post subject: |
|
|
This is a bug, the debug.tpl file should work by default. This has been fixed in CVS. |
|
Back to top |
|
boots Administrator
Joined: 16 Apr 2003 Posts: 5611 Location: Toronto, Canada
|
Posted: Wed May 28, 2003 11:47 pm Post subject: |
|
|
I don't think the debug template should be accessible from security mode since debug information can potentially provide insecure details. |
|
Back to top |
|
sweatje Smarty Regular
Joined: 17 Apr 2003 Posts: 70 Location: Bettendorf, Iowa, USA
|
Posted: Thu May 29, 2003 1:16 am Post subject: |
|
|
boots wrote: | I don't think the debug template should be accessible from security mode since debug information can potentially provide insecure details. |
Interesting notion...is there anything in the debugging template itself that would not be allowed by safe mode? If so, what is to prevent the user from just placing a copy of the debug template in their working directory?
I don't use safe mode personally, so it is more just curiosity _________________ Jason
jsweat_php AT yahoo DOT com |
|
Back to top |
|
mohrt Administrator
Joined: 16 Apr 2003 Posts: 7368 Location: Lincoln Nebraska, USA
|
Posted: Thu May 29, 2003 3:00 am Post subject: |
|
|
Whatever file is given as the $debug_tpl is assumed to be safe in secure mode. This way you don't get errors when it doesn't reside in your template_dir, which is typically the case.
Monte |
|
Back to top |
|
boots Administrator
Joined: 16 Apr 2003 Posts: 5611 Location: Toronto, Canada
|
Posted: Thu May 29, 2003 3:02 am Post subject: |
|
|
I think my point is that if the debug template isn't already reachable, then it shouldn't be automagically included. When using secure mode there are two avenues to do this: add the debug template to the template directory or add a reference to the debug template directory to your secure dirs. Failing to do that suggests either that you don't want debug functionality or that you don't need security.
In my mind the security context should be explicit so that people who are fanatical about security can be assured that only exactly what they specify makes it through.
Quote: | If so, what is to prevent the user from just placing a copy of the debug template in their working directory? |
I didn't mean that you wouldn't allow some form of a debug template to run, but it would have to be specific to that security setting and live in a secure directory.
hope that makes sense |
|
Back to top |
|
mohrt Administrator
Joined: 16 Apr 2003 Posts: 7368 Location: Lincoln Nebraska, USA
|
Posted: Thu May 29, 2003 3:05 am Post subject: |
|
|
I suppose there are many ways to analyze how it should work But historically the $debug_tpl is always secure regarless of its location (BTW, you can give specific files in $secure_dir, not just directories so this doesn't open up your entire SMARTY_DIR if that's what you're thinking.) It was broken somewhere along the way, and now its fixed. |
|
Back to top |
|
|