|
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
View previous topic :: View next topic |
Author |
Message |
shuther Smarty Rookie
Joined: 04 Jan 2004 Posts: 13
|
Posted: Mon Mar 15, 2004 11:03 am Post subject: secure mode and load_config |
|
|
I am using the last CVS version.
I have $smarty->config_dir that is not in $smarty->trusted_dir
with security = true, I got the errors:
Quote: | (secure mode) accessing "file C:\devl\projet\include/configs/\main.conf" |
I am not sure that is the desired behaviour?
I added the directory in $smarty->trusted_dir, it still doesn't work; maybe I am missing something? |
|
Back to top |
|
shuther Smarty Rookie
Joined: 04 Jan 2004 Posts: 13
|
Posted: Mon Mar 15, 2004 11:09 am Post subject: |
|
|
I found the problem, I fogot to add:
$smarty->secure_dir = array($smarty->config_dir);
But maybe it could be automatic? |
|
Back to top |
|
messju Administrator
Joined: 16 Apr 2003 Posts: 3336 Location: Oldenburg, Germany
|
Posted: Mon Mar 15, 2004 4:00 pm Post subject: |
|
|
ah, that's nasty indeed.
it would be easiest to fix this the way you suggest (making "config" a secure dir automatically):
Code: | Index: libs/core/core.is_secure.php
===================================================================
RCS file: /repository/smarty/libs/core/core.is_secure.php,v
retrieving revision 1.7
diff -u -r1.7 core.is_secure.php
--- libs/core/core.is_secure.php 24 Feb 2004 00:10:55 -0000 1.7
+++ libs/core/core.is_secure.php 15 Mar 2004 15:53:38 -0000
@@ -28,7 +28,9 @@
if($check_template_dir) {
if (!in_array($smarty->template_dir, $smarty->secure_dir))
// add template_dir to secure_dir array
- array_unshift($smarty->secure_dir, $smarty->template_dir);
+ array_unshift($smarty->secure_dir,
+ $smarty->template_dir, $smarty->config_dir);
$check_template_dir = false;
}
if (!empty($smarty->secure_dir)) {
|
but this would make the config-dir a trusted directory also for (secured) {fetch), {include} etc. I don't know if this is a problem. |
|
Back to top |
|
messju Administrator
Joined: 16 Apr 2003 Posts: 3336 Location: Oldenburg, Germany
|
Posted: Tue Mar 16, 2004 10:09 am Post subject: |
|
|
I can answer myself: making $smarty->config secure by default is not an option, this would expose the whole config-file to (untrusted) template-editors.
But I am working on a solution that makes $smarty->config only secure for config-load. |
|
Back to top |
|
messju Administrator
Joined: 16 Apr 2003 Posts: 3336 Location: Oldenburg, Germany
|
Posted: Tue Mar 23, 2004 9:53 am Post subject: |
|
|
I committed a fix to the bug you reported above.
$smarty->config_dir is considered a secure dir for config_load() now.
thanks for finding this one! |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|