Page 5 of 5

Posted: Tue Jun 13, 2006 4:36 pm
by RobertGonzalez
Can someone here explain to me how the Smarty $security flag does anyting to user supplied form input? From the Smarty manual page on $security:
The Smarty Manual wrote:$security
$security true/false, default is false. Security is good for situations when you have untrusted parties editing the templates (via ftp for example) and you want to reduce the risk of system security compromises through the template language. Turning on security enforces the following rules to the template language, unless specifially overridden with $security_settings:
  • If $php_handling is set to SMARTY_PHP_ALLOW, this is implicitly changed to SMARTY_PHP_PASSTHRU
  • PHP functions are not allowed in {if} statements, except those specified in the $security_settings
  • templates can only be included from directories listed in the $secure_dir array
  • local files can only be fetched from directories listed in the $secure_dir array using {fetch}
  • {php}{/php} tags are not allowed
  • PHP functions are not allowed as modifiers, except those specified in the $security_settings
This doesn't say word one about user supplied input. The only way a user input is getting into a template is by assigning the input to a var and adding that var to the template. It appears, by this information in the manual, that the $security flag only affects the template and use of Smarty template tags within the template. In any event, it seems that the most reasonable way in which someone may want to attempt to execute PHP code within the template would be to hijack the template, in which case why waste your time with the template? Why not just hijack the core code?

Is this thread even talking about the right thing? I mean, seriously, unless a developer is taking user supplied data and echoing it to the template without some form of validation, it would seem that a template is not going to execute code unless the developer tells it to. If the developer is not sanitizing data, then that developer is opening themselves up to issues, not the app they are using. Or am I wrong?

Posted: Tue Jun 13, 2006 5:43 pm
by Maugrim_The_Reaper
This was a point covered in the argument...somewhere... It is not a template engine's core responsibility to filter user input. Any such measure is a feature, and it's lack cannot be a security flaw. It's the basis people's disagreement with Roja. He was saying that what we considered an optional feature, when missing, should be termed a "security flaw". IMO, this ignores a TE's core responsibility - parse template into HTML.

Posted: Tue Jun 13, 2006 5:51 pm
by alex.barylski
I would have posted a comment on his blog about it but he is moderating any comments and deleting those he doesn't like
:lol: :lol: :lol:

I elect him for president :P
I really am getting tired of Roja trying to creatively manufacture non-existent problems with anything I write and release. It really is childish and petty
He certainly has some strong opinions...many of which I would argue against personally...but if their just opinions...I guess no can be right :)

Cheers :)

Posted: Tue Jun 13, 2006 8:00 pm
by AKA Panama Jack
Interesting...

Roja completely removed that blog entry and posted another saying if you want to see what he wrote in the blog he deleted Email him.

That is more than a little strange.

Posted: Tue Jun 13, 2006 9:35 pm
by alex.barylski
I call censorship!!! 8)

Posted: Wed Jun 14, 2006 1:01 am
by John Cartwright
There is one thing we for sure don't allow around here, and that is attacking a user (for whatever reason). I'm going to leave this thread open for now, although any more flaming/flamebaiting then it will be locked.

Keep it sensible :?

Posted: Wed Jun 14, 2006 3:44 am
by Chris Corbyn
AKA Panama Jack wrote:Interesting...

Roja completely removed that blog entry and posted another saying if you want to see what he wrote in the blog he deleted Email him.

That is more than a little strange.
Maybe he's just trying to keep the peace given this whole fiasco. I've seen enough of it in this thread for now thank you.

Posted: Wed Jun 14, 2006 8:41 am
by Roja
d11wtq wrote:Maybe he's just trying to keep the peace given this whole fiasco. I've seen enough of it in this thread for now thank you.
Multiple members of the BNT dev team were curious why I went to Template-Lite, and then, why I went back to Smarty. I took the time to mention in general my concerns, and they (and other people) wanted more detail. I answered.

Some people disagree with my conclusions, my opinions, and my reasoning. That is entirely their right.

It doesn't change my conclusions, my opinions, and my reasoning. I've discussed it in public as much as I care to, and it has grown beyond a simple discussion about a single choice in a project I'm working on. When it became a discussion about Template-Lite, and not a discussion about my choices and my reasoning, I realized it was time to walk away.

Imagine a 5-page thread criticizing in detail someone's choice to use VI instead of Emacs, and arguing that control-keys werent REALLY a usability issue, and you get the idea of where we are in this thread.

I removed the last blog post because I had no intention of continuing the discussion (here, there, or otherwise). As I said on my blog, if anyone is interested (in the choice, as it applies to BNT), they can inquire via email. There is no need for a public discussion of my personal development choices, and I'm not willing or interested in doing so further in this case. There is a disgusting amount of armchair quarterbacking being done - and I'm not playing along.

I choose not to use Template-Lite. For me, in my opinion, it does not meet my requirements - primarily on the basis of security (as *I* see it). You are welcome to draw your own conclusions (whether they agree with mine or not)

My part in this thread is done, and I only posted to clear up any lingering confusions. I sincerely hope that helps.

In the future, I highly recommend that people do NOT read my blog if they are likely to disagree with my opinions to the point that they feel the need to comment on it publicly. I blog about what interests me, when it interests me, and when I have time. If you don't like it, don't visit. Next week, I will probably be complaining about PHP5 - and the last thing I want is to have to defend my dislike of PHP5 in general. Wait until I get on the topic of Mothers-in-law.. sheesh.

Posted: Wed Jun 14, 2006 9:54 am
by RobertGonzalez
Personally, I think this thread was informative and educational. There are times when it got heated, but I believe that is going to happen in any case where someone may have a particular distaste to something that someone else does AND it gets discussed in a public forum. It also clearly showed the varying views some of this community's members have on the topic of what security is.

As many have said here before (myself included), we all have our opinions and we are all free to express them as long as we stay within the bounds of the forum rules and maintain an appropriate level of respect for one another. Yes, there were some marginal 'approaches to violating' the latter of these principles, but I still think all participants in this thread did their part to convey their positions and opinions in a clear and fairly non-confrontational way.

Just my $0.02.

PS Thanks to all the posters within this thread. It was useful and educational for me.