new beta version for a security fix
0 views
Skip to first unread message
Skrol29
Aug 18, 2009, 8:43:41 AM8/18/09
to tbs-...@googlegroups.com
Hello,
A new version of TBS
3.05.0 RC has been released.
There is a minor
security fix: in previous versions, all fields could call an object's methods
for merging.
For example:
[onload.MyObject.MyMethod] could run
$MyObject->MyMethod().
This is a security problem for organizations where the PHP coder is different from the Template designer. Thus, the Template designer could call, voluntary or not, an active PHP code with no coder acceptation.
With
the security fix, automatic fields (onload, onshow, var) are not allowed to
call object's methods unless property $TBS->MethodsAllowed is set to true. A
TBS error message is prompted if a bad usage is met. Other TBS fields (like
fields linked to a block) can call object's methods because we assume that data
has been provided by a coder in a kind of way.
This fix may bring a
small incompatibility with previous versions on this point. but is can be
solved by adding $TBS->MethodsAllowed = true.
You should check
your applications.
(TomH, i'm wondering
if your precious tests say if you have a problem or
not)
The new version is
available for download at:
Have a nice
day,
------------------------
Skrol29
------------------------
tom151
Aug 18, 2009, 10:30:31 AM8/18/09
to TinyButStrong Next Version
Hello Skrol,
Good thinking on that object reference security risk.
Have just completed testing against all of my stuff - no problems
seemed to develop anywhere.
Cheers, and thanks for TBS every day,
TomH
> <http://www.tinybutstrong.com/download/download.php?file=tbs_beta.zip&...>
> &sid=2
Good thinking on that object reference security risk.
Have just completed testing against all of my stuff - no problems
seemed to develop anywhere.
Cheers, and thanks for TBS every day,
TomH
> &sid=2
Reply all
Reply to author
Forward
0 new messages