Clic!Dev, ‘Tate, and many more projects!

Soon to be unleashed on your unsuspecting screens (well…if you’re using NextBBS, that is *):

.
See Topic Here
*: if you’re not, you really should

While in the process of making sure that the web host integrity is maintained when using nBBS in multi mode, I realized that Smarty, beloved php templating engine, offers so many configuration options that it’s hard to tell what’s really secure and what isn’t. Here is how I have implemented our security model:

// BEGIN Template system
require "smarty/Smarty.class.php";
$TEMPLATE = new Smarty;
$TEMPLATE->force_compile = false; // true for development
$TEMPLATE->compile_check = true;
$TEMPLATE>debugging = false;
// $TEMPLATE->caching = true;
// Security
$TEMPLATE->php_handling = SMARTY_PHP_REMOVE; // default: do not allow php tags
$TEMPLATE->security = TRUE; // Pseudo-safe mode
$TEMPLATE->security_settings['MODIFIER_FUNCS'] = array('substr');
$TEMPLATE->trusted_dir = array(); // No trusted directory. Ever.
//
$TEMPLATE->register_outputfilter("template_postfilter");
// END Template system

Obviously, the section you should be concerned with is under ‘Security’.
Note that Smarty’s documentation is a bit confusing regarding allowing php words but in the end it boils down to this: there is an associative array, called ’security_settings’, and its keys are:
PHP_HANDLING, which allows you to ignore the setting of $php_handling (!!!)
IF_FUNCS lists PHP functions allowed in an {if} statement
INCLUDE_ANY allows you to ignore $secure_dir but it seems to take $trusted_dir in account
PHP_TAGS, when true, allows {php} statements, unless mamed by $php_handling
and finally:
MODIFIER_FUNCS is an array of functions allowed when interpreting php…note that it also allows functions for {if} statements!

Oh, and ALLOW_CONSTANTS. No relevance here.

What a mess.

Well, after spending quite some time cleaning up the code, making sure that no ‘dangerous’ Admin CP operation is available in multi-boards mode, and identifying which settings need to be made immutable, we are almost there.

I am currently working on the automatic setup script. Remaining to do:
mkdir
servers/SERVERID
servers/SERVERID/attachments
servers/SERVERID/avatars
servers/SERVERID/emoticons
servers/SERVERID/lang
servers/SERVERID/lang/en
servers/SERVERID/uploads
servers/SERVERID/templates
servers/SERVERID/templates/*
servers/SERVERID/templates/*_c

cp
servers/SERVERID/emoticons/*
servers/SERVERID/templates/*[!_c]/*

Note that the only ‘router’ module currently ready is the one based on subdomains. But that’s all Clic!Dev needs anyway.

Of course, as usual with everything nextBBS, this code will be available in the software’s next release. Your first chance to take a look under Clic!Dev’s hood.