|
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
View previous topic :: View next topic |
Author |
Message |
Drakla Smarty Rookie
Joined: 16 Aug 2005 Posts: 9
|
Posted: Thu Sep 01, 2005 7:17 am Post subject: Stop session and cookie vars being used in templates |
|
|
I've got a system of subsites fed from a central hub that allows subsite owners to skin their site by uploading zipped packages of smarty templates. Security is on to stop them running any php code, but I've just noticed that $smarty.session and $smarty.cookies can still be looped through with a foreach.
My concern is that session id's can be passed on by including them in something as simple as a javascript call or being passed in the SRC tag to a php generated image, leading to a nasty security hole.
Is there any way to stop templates having access to the $smarty.cookies facility, much like the ALLOW_CONSTANTS setting?
Unsetting the cookie and session fields is out of the question as the data is needed by my scripts.
EDIT: I've hacked the compiler class and made the appropriate sections return null so there are no compiler errors, but it would be good to know if it could be limited as part of the security settings. |
|
Back to top |
|
messju Administrator
Joined: 16 Apr 2003 Posts: 3336 Location: Oldenburg, Germany
|
Posted: Thu Sep 01, 2005 8:29 am Post subject: |
|
|
this sounds like a good idea to me.
something like
$smarty->security_settings['ALLOW_REQUEST_VARS'] = false;
would be nice. |
|
Back to top |
|
Drakla Smarty Rookie
Joined: 16 Aug 2005 Posts: 9
|
Posted: Thu Sep 01, 2005 3:51 pm Post subject: |
|
|
At the mo the adjustments I've made for the get, post, cookie, request and session sections just add a line like so:
[php:1:04f1bcbdc9] case 'session':
if ($this->security && !$this->security_settings['ALLOW_SESSION'])
return null; // could trigger error, but will just blank it for new
$compiled_ref = ($this->request_use_auto_globals) ? '$_SESSION' : "\$GLOBALS['HTTP_SESSION_VARS']";
break;[/php:1:04f1bcbdc9]
with the appropriate ALLOW_XXX. At the moment that just leaves the template as if the use of $smarty.request.phpsessid never happened. |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|