Smarty

Drakla · Smarty Rookie Joined: 16 Aug 2005 Posts: 9

I've got a system of subsites fed from a central hub that allows subsite owners to skin their site by uploading zipped packages of smarty templates. Security is on to stop them running any php code, but I've just noticed that $smarty.session and $smarty.cookies can still be looped through with a foreach.

My concern is that session id's can be passed on by including them in something as simple as a javascript call or being passed in the SRC tag to a php generated image, leading to a nasty security hole.

Is there any way to stop templates having access to the $smarty.cookies facility, much like the ALLOW_CONSTANTS setting?

Unsetting the cookie and session fields is out of the question as the data is needed by my scripts.

EDIT: I've hacked the compiler class and made the appropriate sections return null so there are no compiler errors, but it would be good to know if it could be limited as part of the security settings.

messju · Posted: Thu Sep 01, 2005 8:29 am Post subject:

this sounds like a good idea to me.

something like
$smarty->security_settings['ALLOW_REQUEST_VARS'] = false;
would be nice.

Drakla · Smarty Rookie Joined: 16 Aug 2005 Posts: 9

At the mo the adjustments I've made for the get, post, cookie, request and session sections just add a line like so:
[php:1:04f1bcbdc9] case 'session':
if ($this->security && !$this->security_settings['ALLOW_SESSION'])
return null; // could trigger error, but will just blank it for new
$compiled_ref = ($this->request_use_auto_globals) ? '$_SESSION' : "\$GLOBALS['HTTP_SESSION_VARS']";
break;[/php:1:04f1bcbdc9]

with the appropriate ALLOW_XXX. At the moment that just leaves the template as if the use of $smarty.request.phpsessid never happened.