Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#19 wrap templates into functions

closed-fixed
nobody
Core (30)
3
2013-12-01
2007-11-26
Christian Boltz
No

Template files should be renamed to *.php to avoid that they are downloadable from any postfixadmin installation.

Initially suggested by Jan Örnstedt (ornstedt) in
http://sourceforge.net/tracker/index.php?func=detail&aid=1838327&group_id=191583&atid=937964

Note: When we do this, we also have to add a check for a constant (not: variable) and exit if it is not set.
Something like "define postfixadmin=1" in common.php.
Reason: Otherwise attackers could execute the templates and maybe do unexpected things with them.

Note 2: Ideally, all template code should be wrapped into functions. This allows better control of global variable usage.

Discussion

  • Jan Örnstedt
    Jan Örnstedt
    2007-11-27

    Logged In: YES
    user_id=498787
    Originator: NO

    Borrowed from another project...

    /**
    * security check to prevent hackers from directly accessing this file
    */
    if (strstr($_SERVER["SCRIPT_NAME"],"sendmail.php")) {
    print "Why do you want to do that?";
    exit;
    }

    And a .htaccess file
    order allow,deny
    deny from all

    Cheers
    Jan

     
  • Logged In: YES
    user_id=593261
    Originator: YES

    GingerDog renamed the template files in the meanwhile.

    A security check against direct access to the templates is needed, because with *.php template files an attacker is able to find out the path of your postfixadmin installation ("Undefined variable: PALANG in /path/to/postfixadmin/templates/users_vacation.php on line 25") which makes things worse than before :-(

    I just prepended all template files with (as one line)
    <?php if( !defined('POSTFIXADMIN') ) die( "This file cannot be used
    standalone." ); ?>
    and added
    define('POSTFIXADMIN', 1);
    to common.php.
    Commited to SVN r256

    Advantage over checking $_SERVER or another variable: Constants can't be injected via register_globals.

    The remaining part in this feature request is "wrap all templates into functions" - updating the summary...

     
    • summary: rename templates to *.php and other template enhancements --> wrap templates into functions
     
  • The remaining part (wrap templates into functions for better control on global variables) was solved by switching to smarty templates in the meantime. Therefore I consider this request as implemented.

     
    • status: open --> closed-fixed