#19 wrap templates into functions

Core (30)

Template files should be renamed to *.php to avoid that they are downloadable from any postfixadmin installation.

Initially suggested by Jan Örnstedt (ornstedt) in

Note: When we do this, we also have to add a check for a constant (not: variable) and exit if it is not set.
Something like "define postfixadmin=1" in common.php.
Reason: Otherwise attackers could execute the templates and maybe do unexpected things with them.

Note 2: Ideally, all template code should be wrapped into functions. This allows better control of global variable usage.


  • Jan Örnstedt

    Jan Örnstedt - 2007-11-27

    Logged In: YES
    Originator: NO

    Borrowed from another project...

    * security check to prevent hackers from directly accessing this file
    if (strstr($_SERVER["SCRIPT_NAME"],"sendmail.php")) {
    print "Why do you want to do that?";

    And a .htaccess file
    order allow,deny
    deny from all


  • Christian Boltz

    Christian Boltz - 2007-12-02

    Logged In: YES
    Originator: YES

    GingerDog renamed the template files in the meanwhile.

    A security check against direct access to the templates is needed, because with *.php template files an attacker is able to find out the path of your postfixadmin installation ("Undefined variable: PALANG in /path/to/postfixadmin/templates/users_vacation.php on line 25") which makes things worse than before :-(

    I just prepended all template files with (as one line)
    <?php if( !defined('POSTFIXADMIN') ) die( "This file cannot be used
    standalone." ); ?>
    and added
    define('POSTFIXADMIN', 1);
    to common.php.
    Commited to SVN r256

    Advantage over checking $_SERVER or another variable: Constants can't be injected via register_globals.

    The remaining part in this feature request is "wrap all templates into functions" - updating the summary...

  • Christian Boltz

    Christian Boltz - 2007-12-02
    • summary: rename templates to *.php and other template enhancements --> wrap templates into functions
  • Christian Boltz

    Christian Boltz - 2010-02-18

    The remaining part (wrap templates into functions for better control on global variables) was solved by switching to smarty templates in the meantime. Therefore I consider this request as implemented.

  • Christian Boltz

    Christian Boltz - 2010-02-18
    • status: open --> closed-fixed

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks