Smarty Forum Index Smarty
The discussions here are for Smarty, a template engine for the PHP programming language.

error when using strange template names

 
Post new topic   Reply to topic    Smarty Forum Index -> Bugs
View previous topic :: View next topic  
Author Message
Juergen
Smarty n00b


Joined: 20 Jul 2003
Posts: 2
Location: Karlsruhe, Germany

PostPosted: Sun Jul 20, 2003 3:38 pm    Post subject: error when using strange template names Reply with quote

i'm using a self written resource plugin for template resources, which results sometimes in strange template-pathnames.
the template-path "cms:/qqq/var007abc+123&#*/qqq/bild.tpl" works well with smarty, but it produces the following header in the precompiled template:

<?php /* Smarty version 2.4.1, created on 2003-07-20 16:30:48
compiled from cms:/qqq/var007abc+123&#*/qqq/bild.tpl */ ?>

because of the */ this results in an php-error...


je
Back to top
View user's profile Send private message Visit poster's website
boots
Administrator


Joined: 16 Apr 2003
Posts: 5611
Location: Toronto, Canada

PostPosted: Sun Jul 20, 2003 6:07 pm    Post subject: Reply with quote

Interesting. IMHO, supporting something as esoteric as that should probably be left to the user and not be worried about in smarty.

I can think of at least one popular filesystem where that filename would be considered illegal.
Back to top
View user's profile Send private message
Juergen
Smarty n00b


Joined: 20 Jul 2003
Posts: 2
Location: Karlsruhe, Germany

PostPosted: Sun Jul 20, 2003 6:36 pm    Post subject: Reply with quote

boots wrote:
Interesting. IMHO, supporting something as esoteric as that should probably be left to the user and not be worried about in smarty.

I can think of at least one popular filesystem where that filename would be considered illegal.


i don't think, that it's esoteric to encode variables into the URL instead of the GET parameter

URL:
http://some.host/var007abc+123%26%23a%2Bb%2Bc%2A/bild.tpl
Resulting Template:
cms:/var007abc+123&#*/bild.tpl

the template name is interpreted by the template resource plugin which extracts the variables and opens the real template:
file:/bild.tpl

but it's no problem change the template-header generation in the compiler by myself Smile
Back to top
View user's profile Send private message Visit poster's website
boots
Administrator


Joined: 16 Apr 2003
Posts: 5611
Location: Toronto, Canada

PostPosted: Sun Jul 20, 2003 6:50 pm    Post subject: Reply with quote

Hi. I think I see you more clearly, now. I said esoteric because, amazingly, resources are not nearly as common as you might expect and also because that use for resources is even less common.

Anyhow, instead of changing the template-header generation, you may consider passing your vars through a two-way replacement scheme.

eg.

IN: */ => __REMEND__
OUT: __REMEND__ => */

It is unfortunate that current art of filesystems does not allow for uniform and simple access to attributed data since this would be a perfect candidate. Unfortunately, the way things are today, all of the extra "data" gets encoded into the compiled template's filename meaning that there is a hard limit to how much query data can be supplied with a custom template name. Further, that data must ultimately conform to filesystem rules.

I proposed to Monte a method that allowed resources to control physical naming but it was not accepted. In fairness, it was for a very different type of use (and was phrased differently) but perhaps there is still merit in it?
Back to top
View user's profile Send private message
messju
Administrator


Joined: 16 Apr 2003
Posts: 3336
Location: Oldenburg, Germany

PostPosted: Sun Jul 20, 2003 7:07 pm    Post subject: Reply with quote

if i understand this thread right, the filename is not the problem (it is url-encoded to be safe, AFAIR) but the comment in the template header. if the resource-name causes this, it is a bug in smarty.

i will look at it and have to escape the header in some way to be save to stay in the php-comment.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
boots
Administrator


Joined: 16 Apr 2003
Posts: 5611
Location: Toronto, Canada

PostPosted: Sun Jul 20, 2003 7:22 pm    Post subject: Reply with quote

@messju: Kinda. His template is *really* called bild.tpl but it is encoded with additional query information and it is that information that is causing the issue in the compiled template header.

Now how do you fix that without losing any of the original semantics/syntax? Url encoding might help, but then the name listed in the template header is literally not the name of the resource. Since Smarty imposes no rules on the passed resource name, the resource handler is free to interpret the name anyway it sees fit. In this case, part of the name is actually a query. Nothing wrong with that, of course, except that now Smarty has to deal with a very strange name that could have all sorts of very strange sequences inserted into it. I wouldn't doubt that it would be a good spot to attack if looking for an exploit.

I'm grasping here because I think there is a bigger issue than just fixing the straight-up problem.

2c
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Smarty Forum Index -> Bugs All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP