Template files should be renamed to *.php to avoid that they are downloadable from any postfixadmin installation.
Initially suggested by Jan Örnstedt (ornstedt) in
Note: When we do this, we also have to add a check for a constant (not: variable) and exit if it is not set.
Something like "define postfixadmin=1" in common.php.
Reason: Otherwise attackers could execute the templates and maybe do unexpected things with them.
Note 2: Ideally, all template code should be wrapped into functions. This allows better control of global variable usage.
Log in to post a comment.