Archive for December, 2006

41

Create your own WebTop in php/js in no time

Posted by Chris
December 31, 2006

They are everywhere: protopage, pageflakes, netvibes et al are free, easy to use -as long as you have a powerful browser- and moderatly eye-pleasing.

SO?

A couple months ago, I wondered how long it would take me to build my own ‘WebTop’ (You can play with it here). The challenge would be to get it to a satisfactory state over a week-end.
Of course, I decided to use existing open-source code for the applications’ primary needs.
(more…)

If you enjoyed this post, make sure you subscribe to my RSS feed!

19

The confusing Smarty security model

Posted by Chris
December 16, 2006

nextBBSWhile in the process of making sure that the web host integrity is maintained when using nBBS in multi mode, I realized that Smarty, beloved php templating engine, offers so many configuration options that it’s hard to tell what’s really secure and what isn’t. Here is how I have implemented our security model:

?View Code PHP
// BEGIN Template system
require "smarty/Smarty.class.php";
$TEMPLATE = new Smarty;
$TEMPLATE->force_compile = false; // true for development
$TEMPLATE->compile_check = true;
$TEMPLATE>debugging = false;
// $TEMPLATE->caching = true;
// Security
$TEMPLATE->php_handling = SMARTY_PHP_REMOVE; // default: do not allow php tags
$TEMPLATE->security = TRUE; // Pseudo-safe mode
$TEMPLATE->security_settings['MODIFIER_FUNCS'] = array('substr');
$TEMPLATE->trusted_dir = array(); // No trusted directory. Ever.
//
$TEMPLATE->register_outputfilter("template_postfilter");
// END Template system

Obviously, the section you should be concerned with is under ‘Security’.
Note that Smarty’s documentation is a bit confusing regarding allowing php words but in the end it boils down to this: there is an associative array, called ’security_settings’, and its keys are:
PHP_HANDLING, which allows you to ignore the setting of $php_handling (!!!)
IF_FUNCS lists PHP functions allowed in an {if} statement
INCLUDE_ANY allows you to ignore $secure_dir but it seems to take $trusted_dir in account
PHP_TAGS, when true, allows {php} statements, unless mamed by $php_handling
and finally:
MODIFIER_FUNCS is an array of functions allowed when interpreting php…note that it also allows functions for {if} statements!

Oh, and ALLOW_CONSTANTS. No relevance here.

What a mess.

If you enjoyed this post, make sure you subscribe to my RSS feed!

2

C!D v2 = nextBBS multi

Posted by Chris
December 10, 2006

nextBBSWell, after spending quite some time cleaning up the code, making sure that no ‘dangerous’ Admin CP operation is available in multi-boards mode, and identifying which settings need to be made immutable, we are almost there.

I am currently working on the automatic setup script. Remaining to do:
mkdir
servers/SERVERID
servers/SERVERID/attachments
servers/SERVERID/avatars
servers/SERVERID/emoticons
servers/SERVERID/lang
servers/SERVERID/lang/en
servers/SERVERID/uploads
servers/SERVERID/templates
servers/SERVERID/templates/*
servers/SERVERID/templates/*_c

cp
servers/SERVERID/emoticons/*
servers/SERVERID/templates/*[!_c]/*

Note that the only ‘router’ module currently ready is the one based on subdomains. But that’s all Clic!Dev needs anyway.

Of course, as usual with everything nextBBS, this code will be available in the software’s next release. Your first chance to take a look under Clic!Dev’s hood.

If you enjoyed this post, make sure you subscribe to my RSS feed!

6

Opening of this development blog

Posted by Chris
December 7, 2006

Not much to say. It’s open!

If you enjoyed this post, make sure you subscribe to my RSS feed!