Templates - hints

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Can someone here explain to me how the Smarty $security flag does anyting to user supplied form input? From the Smarty manual page on $security:
The Smarty Manual wrote:$security
$security true/false, default is false. Security is good for situations when you have untrusted parties editing the templates (via ftp for example) and you want to reduce the risk of system security compromises through the template language. Turning on security enforces the following rules to the template language, unless specifially overridden with $security_settings:
  • If $php_handling is set to SMARTY_PHP_ALLOW, this is implicitly changed to SMARTY_PHP_PASSTHRU
  • PHP functions are not allowed in {if} statements, except those specified in the $security_settings
  • templates can only be included from directories listed in the $secure_dir array
  • local files can only be fetched from directories listed in the $secure_dir array using {fetch}
  • {php}{/php} tags are not allowed
  • PHP functions are not allowed as modifiers, except those specified in the $security_settings
This doesn't say word one about user supplied input. The only way a user input is getting into a template is by assigning the input to a var and adding that var to the template. It appears, by this information in the manual, that the $security flag only affects the template and use of Smarty template tags within the template. In any event, it seems that the most reasonable way in which someone may want to attempt to execute PHP code within the template would be to hijack the template, in which case why waste your time with the template? Why not just hijack the core code?

Is this thread even talking about the right thing? I mean, seriously, unless a developer is taking user supplied data and echoing it to the template without some form of validation, it would seem that a template is not going to execute code unless the developer tells it to. If the developer is not sanitizing data, then that developer is opening themselves up to issues, not the app they are using. Or am I wrong?
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

This was a point covered in the argument...somewhere... It is not a template engine's core responsibility to filter user input. Any such measure is a feature, and it's lack cannot be a security flaw. It's the basis people's disagreement with Roja. He was saying that what we considered an optional feature, when missing, should be termed a "security flaw". IMO, this ignores a TE's core responsibility - parse template into HTML.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

I would have posted a comment on his blog about it but he is moderating any comments and deleting those he doesn't like
:lol: :lol: :lol:

I elect him for president :P
I really am getting tired of Roja trying to creatively manufacture non-existent problems with anything I write and release. It really is childish and petty
He certainly has some strong opinions...many of which I would argue against personally...but if their just opinions...I guess no can be right :)

Cheers :)
User avatar
AKA Panama Jack
Forum Regular
Posts: 878
Joined: Mon Nov 14, 2005 4:21 pm

Post by AKA Panama Jack »

Interesting...

Roja completely removed that blog entry and posted another saying if you want to see what he wrote in the blog he deleted Email him.

That is more than a little strange.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

I call censorship!!! 8)
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

There is one thing we for sure don't allow around here, and that is attacking a user (for whatever reason). I'm going to leave this thread open for now, although any more flaming/flamebaiting then it will be locked.

Keep it sensible :?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

AKA Panama Jack wrote:Interesting...

Roja completely removed that blog entry and posted another saying if you want to see what he wrote in the blog he deleted Email him.

That is more than a little strange.
Maybe he's just trying to keep the peace given this whole fiasco. I've seen enough of it in this thread for now thank you.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

d11wtq wrote:Maybe he's just trying to keep the peace given this whole fiasco. I've seen enough of it in this thread for now thank you.
Multiple members of the BNT dev team were curious why I went to Template-Lite, and then, why I went back to Smarty. I took the time to mention in general my concerns, and they (and other people) wanted more detail. I answered.

Some people disagree with my conclusions, my opinions, and my reasoning. That is entirely their right.

It doesn't change my conclusions, my opinions, and my reasoning. I've discussed it in public as much as I care to, and it has grown beyond a simple discussion about a single choice in a project I'm working on. When it became a discussion about Template-Lite, and not a discussion about my choices and my reasoning, I realized it was time to walk away.

Imagine a 5-page thread criticizing in detail someone's choice to use VI instead of Emacs, and arguing that control-keys werent REALLY a usability issue, and you get the idea of where we are in this thread.

I removed the last blog post because I had no intention of continuing the discussion (here, there, or otherwise). As I said on my blog, if anyone is interested (in the choice, as it applies to BNT), they can inquire via email. There is no need for a public discussion of my personal development choices, and I'm not willing or interested in doing so further in this case. There is a disgusting amount of armchair quarterbacking being done - and I'm not playing along.

I choose not to use Template-Lite. For me, in my opinion, it does not meet my requirements - primarily on the basis of security (as *I* see it). You are welcome to draw your own conclusions (whether they agree with mine or not)

My part in this thread is done, and I only posted to clear up any lingering confusions. I sincerely hope that helps.

In the future, I highly recommend that people do NOT read my blog if they are likely to disagree with my opinions to the point that they feel the need to comment on it publicly. I blog about what interests me, when it interests me, and when I have time. If you don't like it, don't visit. Next week, I will probably be complaining about PHP5 - and the last thing I want is to have to defend my dislike of PHP5 in general. Wait until I get on the topic of Mothers-in-law.. sheesh.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Personally, I think this thread was informative and educational. There are times when it got heated, but I believe that is going to happen in any case where someone may have a particular distaste to something that someone else does AND it gets discussed in a public forum. It also clearly showed the varying views some of this community's members have on the topic of what security is.

As many have said here before (myself included), we all have our opinions and we are all free to express them as long as we stay within the bounds of the forum rules and maintain an appropriate level of respect for one another. Yes, there were some marginal 'approaches to violating' the latter of these principles, but I still think all participants in this thread did their part to convey their positions and opinions in a clear and fairly non-confrontational way.

Just my $0.02.

PS Thanks to all the posters within this thread. It was useful and educational for me.
Post Reply