The confusing Smarty security model

Posted by admin
December 16, 2006

nextBBSWhile in the process of making sure that the web host integrity is maintained when using nBBS in multi mode, I realized that Smarty, beloved php templating engine, offers so many configuration options that it’s hard to tell what’s really secure and what isn’t. Here is how I have implemented our security model:

?View Code PHP
// BEGIN Template system
require "smarty/Smarty.class.php";
$TEMPLATE = new Smarty;
$TEMPLATE->force_compile = false; // true for development
$TEMPLATE->compile_check = true;
$TEMPLATE>debugging = false;
// $TEMPLATE->caching = true;
// Security
$TEMPLATE->php_handling = SMARTY_PHP_REMOVE; // default: do not allow php tags
$TEMPLATE->security = TRUE; // Pseudo-safe mode
$TEMPLATE->security_settings['MODIFIER_FUNCS'] = array('substr');
$TEMPLATE->trusted_dir = array(); // No trusted directory. Ever.
//
$TEMPLATE->register_outputfilter("template_postfilter");
// END Template system

Obviously, the section you should be concerned with is under ‘Security’.
Note that Smarty’s documentation is a bit confusing regarding allowing php words but in the end it boils down to this: there is an associative array, called ’security_settings’, and its keys are:
PHP_HANDLING, which allows you to ignore the setting of $php_handling (!!!)
IF_FUNCS lists PHP functions allowed in an {if} statement
INCLUDE_ANY allows you to ignore $secure_dir but it seems to take $trusted_dir in account
PHP_TAGS, when true, allows {php} statements, unless mamed by $php_handling
and finally:
MODIFIER_FUNCS is an array of functions allowed when interpreting php…note that it also allows functions for {if} statements!

Oh, and ALLOW_CONSTANTS. No relevance here.

What a mess.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Similar Posts:

There are currently no comments highlighted.

PHP, security & privacy

If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Comments

No comments yet.

Leave a comment

(required)

(required)