Serendipity Forums

I would really not like to remove Security. I would only do this if a majority of developers votes for this and can give a statement for why they think this is necessary.

It really is good to have template security so that nothing bad can be placed inside a *.tpl file, also when you download foreign templates you only need to check the config.inc.php for bad things.

SmartySecurity does have a use, you always downplay this as if it weren't true.

Regards,
Garvin

@Garvin, while looking at your 3 solution list: What was wrong with my proposal how to solve this easily?

Having a global s9y setting for the few "developers" using linked plugin dirs defaulting to "plugins" and add this dir to the trusted dirs of smarty instead of "plugins" hard coded?

I think: Everybody having such type of setup is an expert and is able to set this new configuration line up. We could ask for this input while upgrading i.e.

At the moment Smarty Security is crashing in this "alien installations" (speak: "s9y was not really meant for having the plugin dir external") only, why not handling it like that?

Do you think it's a common case, that users have a setup like you and mattsches? I definitely don't..

blog.brockha.us wrote:@Garvin, while looking at your 3 solution list: What was wrong with my proposal how to solve this easily?

I don't like adding new global options, and it would require developers to enable that new option, while I prefer to keep everything working properly "as is". Also on shared installations like on supersized with multiple blogs this would mean that a maintainer has to create a new script to set this option on every blog...

I've now committed the IMHO best workable approach to git, so that fetch() call now always are able to fetch all resource, so that smarty security acts only to restrict calls to PHP functions and modifieres.

Regards,
Garvin