[prev in list] [next in list] [prev in thread] [next in thread]
List: smarty-dev
Subject: Re: [SMARTY-DEV] $smarty.const
From: Monte Ohrt <monte () ispi ! net>
Date: 2004-09-10 13:32:39
Message-ID: 4141ACF7.4070609 () ispi ! net
[Download RAW message or body]
I have no problems with that patch, you have my vote to implement it.
messju mohr wrote:
>On Thu, Sep 09, 2004 at 03:49:57PM -0700, boots wrote:
>
>
>>Hi all.
>>
>>It occured to me that even with security on we might be leaking data
>>through $smarty.const (eg: SMARTY_DIR which reveals a system path). I
>>would like to propose that either $smarty.const is made unavailable
>>when security is on (my ideal) or that somehow only white-listed keys
>>can be retrieved through $smarty.const.
>>
>>If this is acceptable, I'd be happy to prepare a patch.
>>
>>It may also be desirable to disable the request vars when security is
>>on, but I won't venture that far for now :)
>>
>>
>
>just FYI: i suggested something like that quite some time ago:
>http://marc.theaimsgroup.com/?l=smarty-dev&m=107766831414634&w=2
>
>i didn't get any real feedback on that. go ahead, maybe you have more
>luck! :)
>
>
>
>>xo boots
>>
>>
>
>
>
--
Smarty Development Mailing List (http://smarty.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic