Smarty Forum Index Smarty
The discussions here are for Smarty, a template engine for the PHP programming language.

Calling files in templates_c should not be possible

 
Post new topic   Reply to topic    Smarty Forum Index -> Smarty 3
View previous topic :: View next topic  
Author Message
yankee
Smarty Rookie


Joined: 02 Mar 2009
Posts: 31

PostPosted: Sun Mar 08, 2009 10:29 am    Post subject: Calling files in templates_c should not be possible Reply with quote

The compiled templates should not be called directly. This could even be a security risk if the template contains code that is cached and must not be executed to often. It is unlikely that such an attack is possible, but I think that it would be good to prevent execution nevertheless.
The easiest way to accomplish this that I can think of is inserting this line into every compiled template at the top:
Code:
<?php if (!class_exists('Smarty', false)) exit('Security violation'); ?>
Back to top
View user's profile Send private message
U.Tews
Administrator


Joined: 22 Nov 2006
Posts: 5067
Location: Hamburg / Germany

PostPosted: Mon Mar 09, 2009 3:07 pm    Post subject: Reply with quote

You can now enable this feature by setting

$smarty->direct_access_security = true;

It will disallow direct access of the files in the templates_c and cache folder.

NOTE: If you change the setting you must recompile the templates.
Back to top
View user's profile Send private message
douglassdavis
Smarty Junkie


Joined: 21 Jan 2008
Posts: 541

PostPosted: Wed Mar 18, 2009 3:21 pm    Post subject: Reply with quote

U.Tews wrote:
You can now enable this feature by setting

$smarty->direct_access_security = true;

It will disallow direct access of the files in the templates_c and cache folder.

NOTE: If you change the setting you must recompile the templates.



is this the default?
Back to top
View user's profile Send private message
U.Tews
Administrator


Joined: 22 Nov 2006
Posts: 5067
Location: Hamburg / Germany

PostPosted: Wed Mar 18, 2009 4:10 pm    Post subject: Reply with quote

Yes, this is the default.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Smarty Forum Index -> Smarty 3 All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP