|
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
View previous topic :: View next topic |
Author |
Message |
B00zy Smarty Rookie
Joined: 19 Jul 2004 Posts: 12
|
Posted: Mon Jul 19, 2004 5:54 pm Post subject: SmartyValidate Security Issues |
|
|
Wouldn't it be possible for an attacker to avoid SmartyValidate by simply not loading the page containing the {validate} tags and submitting the POST vars without ever calling that page? SmartyValidate::is_valid() would eval to true since it has nothing to compare against. |
|
Back to top |
|
boots Administrator
Joined: 16 Apr 2003 Posts: 5611 Location: Toronto, Canada
|
Posted: Mon Jul 19, 2004 6:14 pm Post subject: |
|
|
This has been pointed out already but it is worthwhile repeating. I don't think SmartyValidate is intended (in its present form) as a full coverage valdiation mechanism (nor is validation alone equivalent to security).
As it is, SmartyValidate merely supports form processing during the presentation layer and that is basically all. Developers must still ensure proper validation of received inputs when processing outside of templates (ie. from scripts) and must still use typical precautions and security measures.
Monte has recently proposed moving the criteria validation definitions to the calling PHP script which would definately help in terms of providing more robust validation handling.
In short, my opinion is: SmartyValidate, as it stands, can help your presentation layer provide suitable messages to your user to guide form filling but probably should not be used on its own as a trusted mechanism to ensure data consistency or authenticity. |
|
Back to top |
|
B00zy Smarty Rookie
Joined: 19 Jul 2004 Posts: 12
|
Posted: Mon Jul 19, 2004 7:06 pm Post subject: Fix |
|
|
OK, so after considering this for a while here is a working solution I've come up with.
Code: |
if (count($_POST)) {
/* SmartyValidate should be PRE-loaded, otherwise
an attacker could simply submit the post vars without
ever accepting a session. Display profile_validate.tpl once
so that the validation tags are all registered. */
$smarty->display('profile_validate.tpl');
/* SmartyValidate::is_valid() now has something to work with */
if (SmartyValidate::is_valid($_POST)) {
/* It's valid */
} else {
/* It's necessary to display this twice because the first
time the SmartyValidate::is_valid hadn't been called yet. */
$smarty->display('profile_validate.tpl');
}
}
$smarty->display('profile.tpl');
|
and here is profile_validate.tpl:
Code: |
{capture name="error"}
<div id="error">
{validate field="name" criteria="notEmpty" trim="yes" message="Name cannot be empty"}
{validate field="name" criteria="isLength" trim="yes" min="3" max="10" message="Name must be between 3 and 10 characters long"}
{validate field="name" criteria="isRegExp" trim="yes" expression="!^\w+$!" message="Name must be composed of only letters [A-Z], numbers [0-9], or the underscore character _"}
</div>
{/capture}
|
Wherever you would like the errors to be displayed in profile.tpl, add {$smarty.capture.error} to the template. |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|