Smarty incompatible in S9Y 1.7?

Found a bug? Tell us!!
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Re: Smarty is compatible with S9Y 1.7!!!

Post by garvinhicking »

I would really not like to remove Security. I would only do this if a majority of developers votes for this and can give a statement for why they think this is necessary.

It really is good to have template security so that nothing bad can be placed inside a *.tpl file, also when you download foreign templates you only need to check the config.inc.php for bad things.

SmartySecurity does have a use, you always downplay this as if it weren't true. :-)

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
blog.brockha.us
Regular
Posts: 695
Joined: Tue Jul 03, 2007 3:34 am
Location: Berlin, Germany
Contact:

Re: Smarty incompatible in S9Y 1.7?

Post by blog.brockha.us »

@Garvin, while looking at your 3 solution list: What was wrong with my proposal how to solve this easily?

Having a global s9y setting for the few "developers" using linked plugin dirs defaulting to "plugins" and add this dir to the trusted dirs of smarty instead of "plugins" hard coded?

I think: Everybody having such type of setup is an expert and is able to set this new configuration line up. We could ask for this input while upgrading i.e.

At the moment Smarty Security is crashing in this "alien installations" (speak: "s9y was not really meant for having the plugin dir external") only, why not handling it like that?

Do you think it's a common case, that users have a setup like you and mattsches? I definitely don't..
- Grischa Brockhaus - http://blog.brockha.us
- Want to make me happy? http://wishes.brockha.us/
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Re: Smarty incompatible in S9Y 1.7?

Post by garvinhicking »

blog.brockha.us wrote:@Garvin, while looking at your 3 solution list: What was wrong with my proposal how to solve this easily?
I don't like adding new global options, and it would require developers to enable that new option, while I prefer to keep everything working properly "as is". Also on shared installations like on supersized with multiple blogs this would mean that a maintainer has to create a new script to set this option on every blog...

I've now committed the IMHO best workable approach to git, so that fetch() call now always are able to fetch all resource, so that smarty security acts only to restrict calls to PHP functions and modifieres.

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Post Reply