Smarty Forum Index Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon.

Smarty temlpating differs from others

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Article Discussions
View previous topic :: View next topic  
Author Message
bimal
Smarty Elite


Joined: 19 Apr 2007
Posts: 423

PostPosted: Wed Jun 10, 2009 7:10 pm    Post subject: Smarty temlpating differs from others Reply with quote

Here are few points I stay with Smarty.
I have reviewed a lot of applications that come up with a kind of templating engine in their application. Finally, in security point of view, I loved Smarty.

These templates are perfectly safe, in many way.
However bigger sofware like Magento have their poor organization in template engines.

Reason One
Any one who releases a free template can voluntarilty inject unsafe code to steal things from the user's computers. And, it is not easy to avoid this, because, every template is a crude php script. Downloaded templates are always better to suspect, if data safety is a big concern.

Reason Two
Because of the <?php and ?> tags, we can not easily read the contents within these blocks in visual editors. It makes harder to produce a new template for these sofware.

Smarty too has a defect of allowing {php} and {/php} tags. But we can carefully find/disallow in a downloaded template. Sometimes, modifying a very small script in Smarty, we can disable parsing {php} tags. Because, this tags are not so common in a template, and are easy to test for vulnerable codes. While, Magento like system compulsorily uses <?php and ?>. So, finding out a badly written script out of this junk is harder.

I now trust, that tools written in Smarty as much safer in cummunity interactivity.
Back to top
View user's profile Send private message Visit poster's website
mohrt
Administrator


Joined: 16 Apr 2003
Posts: 7368
Location: Lincoln Nebraska, USA

PostPosted: Thu Jun 11, 2009 3:21 pm    Post subject: Reply with quote

FYI, $smarty->security = true does not allow {php} tags.
Back to top
View user's profile Send private message Visit poster's website
bimal
Smarty Elite


Joined: 19 Apr 2007
Posts: 423

PostPosted: Thu Jun 11, 2009 5:39 pm    Post subject: More security checks we need Reply with quote

Hi Mohrt,
Thanks for this tip.
(We normally do not readout all the source codes, and these tips can become veryuseful).

Yet, we need to control few issues with:

{'badfile.php'|include} which is UNSAFE.
{include file='badfile.php'} has a different purpose, and we can consider this safe.

Poperly mis-written scripts can again become more serious issue:
{'config.php'|readfile} => This is very much dangerous, and can expose almost any settings / passwords.

Is there any work done already on this?
Or, we must consider this feature a vulnerable thing in Smarty?
Back to top
View user's profile Send private message Visit poster's website
mohrt
Administrator


Joined: 16 Apr 2003
Posts: 7368
Location: Lincoln Nebraska, USA

PostPosted: Thu Jun 11, 2009 7:16 pm    Post subject: Reply with quote

Please read the documentation on Smarty security. In secure mode, you cannot include anything but other templates, or things from the trusted directory. You are also not permitted to use modifiers not in the access list.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Article Discussions All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP