|
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
View previous topic :: View next topic |
Author |
Message |
Juergen Smarty n00b
Joined: 20 Jul 2003 Posts: 2 Location: Karlsruhe, Germany
|
Posted: Sun Jul 20, 2003 3:38 pm Post subject: error when using strange template names |
|
|
i'm using a self written resource plugin for template resources, which results sometimes in strange template-pathnames.
the template-path "cms:/qqq/var007abc+123*/qqq/bild.tpl" works well with smarty, but it produces the following header in the precompiled template:
<?php /* Smarty version 2.4.1, created on 2003-07-20 16:30:48
compiled from cms:/qqq/var007abc+123*/qqq/bild.tpl */ ?>
because of the */ this results in an php-error...
je |
|
Back to top |
|
boots Administrator
Joined: 16 Apr 2003 Posts: 5611 Location: Toronto, Canada
|
Posted: Sun Jul 20, 2003 6:07 pm Post subject: |
|
|
Interesting. IMHO, supporting something as esoteric as that should probably be left to the user and not be worried about in smarty.
I can think of at least one popular filesystem where that filename would be considered illegal. |
|
Back to top |
|
Juergen Smarty n00b
Joined: 20 Jul 2003 Posts: 2 Location: Karlsruhe, Germany
|
Posted: Sun Jul 20, 2003 6:36 pm Post subject: |
|
|
boots wrote: | Interesting. IMHO, supporting something as esoteric as that should probably be left to the user and not be worried about in smarty.
I can think of at least one popular filesystem where that filename would be considered illegal. |
i don't think, that it's esoteric to encode variables into the URL instead of the GET parameter
URL:
http://some.host/var007abc+123%26%23a%2Bb%2Bc%2A/bild.tpl
Resulting Template:
cms:/var007abc+123*/bild.tpl
the template name is interpreted by the template resource plugin which extracts the variables and opens the real template:
file:/bild.tpl
but it's no problem change the template-header generation in the compiler by myself |
|
Back to top |
|
boots Administrator
Joined: 16 Apr 2003 Posts: 5611 Location: Toronto, Canada
|
Posted: Sun Jul 20, 2003 6:50 pm Post subject: |
|
|
Hi. I think I see you more clearly, now. I said esoteric because, amazingly, resources are not nearly as common as you might expect and also because that use for resources is even less common.
Anyhow, instead of changing the template-header generation, you may consider passing your vars through a two-way replacement scheme.
eg.
IN: */ => __REMEND__
OUT: __REMEND__ => */
It is unfortunate that current art of filesystems does not allow for uniform and simple access to attributed data since this would be a perfect candidate. Unfortunately, the way things are today, all of the extra "data" gets encoded into the compiled template's filename meaning that there is a hard limit to how much query data can be supplied with a custom template name. Further, that data must ultimately conform to filesystem rules.
I proposed to Monte a method that allowed resources to control physical naming but it was not accepted. In fairness, it was for a very different type of use (and was phrased differently) but perhaps there is still merit in it? |
|
Back to top |
|
messju Administrator
Joined: 16 Apr 2003 Posts: 3336 Location: Oldenburg, Germany
|
Posted: Sun Jul 20, 2003 7:07 pm Post subject: |
|
|
if i understand this thread right, the filename is not the problem (it is url-encoded to be safe, AFAIR) but the comment in the template header. if the resource-name causes this, it is a bug in smarty.
i will look at it and have to escape the header in some way to be save to stay in the php-comment. |
|
Back to top |
|
boots Administrator
Joined: 16 Apr 2003 Posts: 5611 Location: Toronto, Canada
|
Posted: Sun Jul 20, 2003 7:22 pm Post subject: |
|
|
@messju: Kinda. His template is *really* called bild.tpl but it is encoded with additional query information and it is that information that is causing the issue in the compiled template header.
Now how do you fix that without losing any of the original semantics/syntax? Url encoding might help, but then the name listed in the template header is literally not the name of the resource. Since Smarty imposes no rules on the passed resource name, the resource handler is free to interpret the name anyway it sees fit. In this case, part of the name is actually a query. Nothing wrong with that, of course, except that now Smarty has to deal with a very strange name that could have all sorts of very strange sequences inserted into it. I wouldn't doubt that it would be a good spot to attack if looking for an exploit.
I'm grasping here because I think there is a bigger issue than just fixing the straight-up problem.
2c |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|