[prev in list] [next in list] [prev in thread] [next in thread] 

List:       smarty-dev
Subject:    Re: [SMARTY-DEV] $smarty.const
From:       Monte Ohrt <monte () ispi ! net>
Date:       2004-09-10 13:32:39
Message-ID: 4141ACF7.4070609 () ispi ! net
[Download RAW message or body]

I have no problems with that patch, you have my vote to implement it.

messju mohr wrote:

>On Thu, Sep 09, 2004 at 03:49:57PM -0700, boots wrote:
>  
>
>>Hi all.
>>
>>It occured to me that even with security on we might be leaking data
>>through $smarty.const (eg: SMARTY_DIR which reveals a system path). I
>>would like to propose that either $smarty.const is made unavailable
>>when security is on (my ideal) or that somehow only white-listed keys
>>can be retrieved through $smarty.const.
>>
>>If this is acceptable, I'd be happy to prepare a patch.
>>
>>It may also be desirable to disable the request vars when security is
>>on, but I won't venture that far for now :)
>>    
>>
>
>just FYI: i suggested something like that quite some time ago:
>http://marc.theaimsgroup.com/?l=smarty-dev&m=107766831414634&w=2
>
>i didn't get any real feedback on that. go ahead, maybe you have more
>luck! :)
>
>  
>
>>xo boots
>>    
>>
>
>  
>


-- 
Smarty Development Mailing List (http://smarty.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[prev in list] [next in list] [prev in thread] [next in thread]