[ postfixadmin-Feature Requests-1839070 ] wrap templates into functions
Brought to you by:
christian_boltz,
gingerdog
Menu
▾
▴
[ postfixadmin-Feature Requests-1839070 ] wrap templates into functions
|
From: SourceForge.net <no...@so...> - 2007-12-02 19:23:32
|
Feature Requests item #1839070, was opened at 2007-11-27 00:52 Message generated for change (Comment added) made by christian_boltz You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937967&aid=1839070&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Core Group: SVN (please specify revision!) Status: Open Resolution: None Priority: 3 Private: No Submitted By: Christian Boltz (christian_boltz) Assigned to: Nobody/Anonymous (nobody) >Summary: wrap templates into functions Initial Comment: Template files should be renamed to *.php to avoid that they are downloadable from any postfixadmin installation. Initially suggested by Jan Örnstedt (ornstedt) in http://sourceforge.net/tracker/index.php?func=detail&aid=1838327&group_id=191583&atid=937964 Note: When we do this, we also have to add a check for a constant (not: variable) and exit if it is not set. Something like "define postfixadmin=1" in common.php. Reason: Otherwise attackers could execute the templates and maybe do unexpected things with them. Note 2: Ideally, all template code should be wrapped into functions. This allows better control of global variable usage. ---------------------------------------------------------------------- >Comment By: Christian Boltz (christian_boltz) Date: 2007-12-02 20:23 Message: Logged In: YES user_id=593261 Originator: YES GingerDog renamed the template files in the meanwhile. A security check against direct access to the templates is needed, because with *.php template files an attacker is able to find out the path of your postfixadmin installation ("Undefined variable: PALANG in /path/to/postfixadmin/templates/users_vacation.php on line 25") which makes things worse than before :-( I just prepended all template files with (as one line) <?php if( !defined('POSTFIXADMIN') ) die( "This file cannot be used standalone." ); ?> and added define('POSTFIXADMIN', 1); to common.php. Commited to SVN r256 Advantage over checking $_SERVER or another variable: Constants can't be injected via register_globals. The remaining part in this feature request is "wrap all templates into functions" - updating the summary... ---------------------------------------------------------------------- Comment By: Jan Örnstedt (ornstedt) Date: 2007-11-27 14:32 Message: Logged In: YES user_id=498787 Originator: NO Borrowed from another project... /** * security check to prevent hackers from directly accessing this file */ if (strstr($_SERVER["SCRIPT_NAME"],"sendmail.php")) { print "Why do you want to do that?"; exit; } And a .htaccess file order allow,deny deny from all Cheers Jan ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937967&aid=1839070&group_id=191583 |
