|
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
View previous topic :: View next topic |
Author |
Message |
yankee Smarty Rookie
Joined: 02 Mar 2009 Posts: 31
|
Posted: Sun Mar 08, 2009 10:29 am Post subject: Calling files in templates_c should not be possible |
|
|
The compiled templates should not be called directly. This could even be a security risk if the template contains code that is cached and must not be executed to often. It is unlikely that such an attack is possible, but I think that it would be good to prevent execution nevertheless.
The easiest way to accomplish this that I can think of is inserting this line into every compiled template at the top:
Code: | <?php if (!class_exists('Smarty', false)) exit('Security violation'); ?> |
|
|
Back to top |
|
U.Tews Administrator
Joined: 22 Nov 2006 Posts: 5068 Location: Hamburg / Germany
|
Posted: Mon Mar 09, 2009 3:07 pm Post subject: |
|
|
You can now enable this feature by setting
$smarty->direct_access_security = true;
It will disallow direct access of the files in the templates_c and cache folder.
NOTE: If you change the setting you must recompile the templates. |
|
Back to top |
|
douglassdavis Smarty Junkie
Joined: 21 Jan 2008 Posts: 541
|
Posted: Wed Mar 18, 2009 3:21 pm Post subject: |
|
|
U.Tews wrote: | You can now enable this feature by setting
$smarty->direct_access_security = true;
It will disallow direct access of the files in the templates_c and cache folder.
NOTE: If you change the setting you must recompile the templates. |
is this the default? |
|
Back to top |
|
U.Tews Administrator
Joined: 22 Nov 2006 Posts: 5068 Location: Hamburg / Germany
|
Posted: Wed Mar 18, 2009 4:10 pm Post subject: |
|
|
Yes, this is the default. |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|