Double Layered Smarty

119 views
Skip to first unread message

Donald Organ

unread,
Dec 29, 2011, 3:38:14 PM12/29/11
to smarty-d...@googlegroups.com
Right now our system is using smarty but only in a specific place, and only super admins have access to edit the smarty templates.

The way things currently work is during execution our system templates may have tokens such as [[contentblock|content-block-a|smarty_template_a]]  which our template parser then goes and parses that token appart gathers the information to pass to smarty and then generates the string output of the smarty template.

We want to add smarty processing to our system templates and of course disable {php} tags...Are there other security holes that this may introduce that I need to be aware of??



uwe.tews

unread,
Dec 30, 2011, 5:48:27 AM12/30/11
to Smarty Developers
The dangerous tags {php} and {php_include} have been removed in
Smarty3 from
the Smarty class and will only be available in SmartyBC.

There are no other known security holes for code injection.

Uwe

Rodney Rehm

unread,
Dec 30, 2011, 6:14:18 AM12/30/11
to smarty-d...@googlegroups.com
Well, there used to be a way to abuse {fetch} and {html_image} to send data to foreign hosts (grabbing auth credentials, for example). That hole has been closed in Smarty 3.1.7, though.

Have a closer look at http://www.smarty.net/docs/en/advanced.features.tpl#advanced.features.security to find out what you can regulate. With Smarty_Security, you should even be in a position to even allow your users customizing templates without risking them being able to access any vital data. So you could be working with a Smarty instance for the system (allowing pretty much anything) and a second "sandboxed" security-enabled Smarty instance for your users/admins/whoever.

Regards,
Rod

Donald Organ

unread,
Dec 30, 2011, 11:01:51 AM12/30/11
to smarty-d...@googlegroups.com
Sorry I should have been a little more clear....I am using Smarty 2.....We havent had the time to test out 3 in our environment....




--
You received this message because you are subscribed to the Google Groups "Smarty Developers" group.
To post to this group, send email to smarty-d...@googlegroups.com.
To unsubscribe from this group, send email to smarty-develop...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/smarty-developers?hl=en.


Martin B

unread,
Jan 17, 2012, 4:09:15 PM1/17/12
to smarty-d...@googlegroups.com
Hey!

I currently use Smarty at work as Template Engine, and I tried to update
to the newest Smarty version from Smarty 3.0.8.

But the new Smarty Version 3.1.7 has some issues I wasn't able to fix.
1. We have use error_reporting(E_ALL) in development process as Coding
standard.

Earlier I reported some warnings due to that, which were fixed, but with
this release a new one appears:
Notice: Undefined index: unifunc in[cut]/smarty/sysplugin
/smarty_internal_template.php on line 434

Could you fix that?

Second issue is a bigger one:

If i have a template containing an include statement, the script crashes
at the point the {include} command appears.
I get different errors depending on whether the template has ben called
before or not, but on any include i get this error.
This is what i get
Fatal error: Uncaught exception 'SmartyException' with message 'property
'rendered_template' does not exist.' in
[cut]/smarty/sysplugins/smarty_internal_templatebase.php:798
Stack trace:
#[cut]/templates_c/723f0461108848e399ed6a6b2b83d390c640a224.file.[mytemplate].st.php(32):
Smarty_Internal_TemplateBase->__call('getRenderedTemp...', Array)
#1[cut]/templates_c/723f0461108848e399ed6a6b2b83d390c640a224.file.[mytemplate].st.php(32):
Smarty_Internal_Template->getRenderedTemplate()
#2 [cut]/smarty/sysplugins/smarty_internal_templatebase.php(161):
include('[cut]')
#3 [cut]/smarty/sysplugins/smarty_internal_templatebase.php(374):
Smarty_Internal_TemplateBase->fetch([mytemplate], NULL, NULL, NULL, true)
from here on I'm in my scope
#4 [cut]/classes/Site.class.php(284):
Smarty_Internal_TemplateBase->display([mytemplate])
#5 [cut]/myfile.php(56): Site->process()
#6 {main}
thrown in [cut]/smarty/sysplugins/smarty_internal_templatebase.php on
line 798

Anyone a idea what happens here or how to fix?

Regards, Martin

Rodney Rehm

unread,
Jan 17, 2012, 4:24:28 PM1/17/12
to smarty-d...@googlegroups.com
sounds a lot like you forogt to clear your template_c and cache directories. (and or APC, should you be using apc.stat=0)

Martin B

unread,
Jan 17, 2012, 4:37:49 PM1/17/12
to smarty-d...@googlegroups.com
Hey!
Argh, this is possible, thank you!
I'll check that tomorrow.
As Einstein said: Two things are infinite, the universe and human
stupidity. I'm not completely sure about the first.
So please ignore the 2. issue until I tried that.

Regards, Martin

uwe.tews

unread,
Jan 20, 2012, 1:48:08 PM1/20/12
to Smarty Developers
Martin

Both problems are caused by internal changes which require that you
delete existing compiled and cached templates after the upgrade.

Uwe

Greg Milby

unread,
Jan 20, 2012, 4:58:48 PM1/20/12
to smarty-d...@googlegroups.com
If you have a problem is it possible to start a new email?  leaving the subject line in tact makes it appear the release has failed and causes panic/high blood pressure.  there seems to be a forum and mailing list for everything, can't an issue be handled differently? jmho. thanks,

Reply all
Reply to author
Forward
0 new messages