While in the process of making sure that the web host integrity is maintained when using nBBS in multi mode, I realized that Smarty, beloved php templating engine, offers so many configuration options that it’s hard to tell what’s really secure and what isn’t. Here is how I have implemented our security model:
-
// BEGIN Template system
-
require "smarty/Smarty.class.php";
-
$TEMPLATE = new Smarty;
-
$TEMPLATE->force_compile = false; // true for development
-
$TEMPLATE->compile_check = true;
-
$TEMPLATE>debugging = false;
-
// $TEMPLATE->caching = true;
-
// Security
-
$TEMPLATE->php_handling = SMARTY_PHP_REMOVE; // default: do not allow php tags
-
$TEMPLATE->security = TRUE; // Pseudo-safe mode
-
//
-
$TEMPLATE->register_outputfilter("template_postfilter");
-
// END Template system
Obviously, the section you should be concerned with is under ‘Security’.
Note that Smarty’s documentation is a bit confusing regarding allowing php words but in the end it boils down to this: there is an associative array, called ’security_settings’, and its keys are:
PHP_HANDLING, which allows you to ignore the setting of $php_handling (!!!)
IF_FUNCS lists PHP functions allowed in an {if} statement
INCLUDE_ANY allows you to ignore $secure_dir but it seems to take $trusted_dir in account
PHP_TAGS, when true, allows {php} statements, unless mamed by $php_handling
and finally:
MODIFIER_FUNCS is an array of functions allowed when interpreting php…note that it also allows functions for {if} statements!
Oh, and ALLOW_CONSTANTS. No relevance here.
What a mess.
Sphere: Related Content
