problem with backend_templates for static pages

[stm999999999]

hello

I tried to config my own static page backend as Garvin describes it (http://garv.in/serendipity/archives/128 ... eiten.html).

I make a folder backend_templates in my used template folder. and a file my_staticpage_backend.tpl

Opening this in the static page backend I got:

Code: Select all

Warning: Smarty error: unable to read resource: "file:/srv/s9y/plugins/serendipity_event_staticpage/backend_templates/mystaticpagebackend.tpl" in /srv/s9y/bundled-libs/Smarty/libs/Smarty.class.php on line 1092

1. where are the "_"?
2. why the plugin is looking for the file in the plugin folder? The file is in the template folder and for the drop-down-list "Backend template" s9y founds in in the template-folder - why not for using it?

[Don Chambers]

Garvin's description is also available on the s9y blog here

I tried it too. Your problem is verified. It does not work if the filename contains underscore ("_") characters, with the exception of a file named default_staticpage_backend.tpl.

[garvinhicking]

Hi!

To prevent security exploits, all characters except a-z0-9 are stripped from the filename, so do not use underscores or other non-alphanumerical characters.

Regards,
Garvin

[stm999999999]

What kind of security issues is about a filenname?

And, security protection against the blog-admin / someone who has ftp-access to the blog-code?

And last, but not least: Many blog-admin-generated tpl-files can have and will have a "-" oder "_" in the filename!? e.g. plugin_staticpage_overview.tpl, comments_by_author.tpl

[garvinhicking]

Hi!

What kind of security issues is about a filenname?

Usually only .. and / and \ and %0 and %D.

Before I go on and list everything that could be dangerous, I simply use A-Z0-9.

And, security protection against the blog-admin / someone who has ftp-access to the blog-code?

The file inclusion needs to prevent someone passing a non-existant filename to the s9y backend, which would then include remote files. So you wouldn't need to have FTP access to exploit that.

Regards,
Garvin

[stm999999999]

Usually only .. and / and \ and %0 and %D.

Before I go on and list everything that could be dangerous, I simply use A-Z0-9.

But IMHO this is a real problem for the users:

there are many reasons to name such a tpl-file with more than one word. And the normal way to use a space character in web-based systems is to use the "-" or "_". So, could it be possible - not to list everything that could be dangerous - but allow A-Z0-9 and "_"+"-"? Especially because many tpl-files use this characters and the user will geared to this.

The file inclusion needs to prevent someone passing a non-existant filename to the s9y backend, which would then include remote files. So you wouldn't need to have FTP access to exploit that.

I must confess that I am not understanding this in the moment:

I have a tpl-file with "_" in my template folder.
on static-page - Backend template I got these file named in the drop-down-box. These and no other non-existant. I select it and now there can be a security issue, you want to prevent?

Perhaps I am thinking not hacker-like enough?


And what is about static pages - Page types - Template name? There I can and I have to(!) enter things like plugin_staticpage_aboutpage.tpl!?

[garvinhicking]

Hi!

there are many reasons to name such a tpl-file with more than one word. And the normal way to use a space character in web-based systems is to use the "-" or "_". So, could it be possible - not to list everything that could be dangerous - but allow A-Z0-9 and "_"+"-"? Especially because many tpl-files use this characters and the user will geared to this.

I'm not sure if the code uses "_" for any other seperation. I would first need to check that, and then I agree that "_" and "-" could be included in the regexp.

I have a tpl-file with "_" in my template folder.
on static-page - Backend template I got these file named in the drop-down-box. These and no other non-existant. I select it and now there can be a security issue, you want to prevent?

The dropdown has a form name, so you could also call a url like index.php?backend_template=../../../etc/passwd to include that file, even though such a template file would not necessarily need to exist.

Perhaps I am thinking not hacker-like enough?

That honours you!

And what is about static pages - Page types - Template name? There I can and I have to(!) enter things like plugin_staticpage_aboutpage.tpl!?

I think that code simply uses a different regular expression where "_" and "-" were explicitly named.

I'll try to find time so check those Regexps.

Regards,
Garvin

[stm999999999]

Commit by garvinhicking :: additional_plugins/serendipity_event_staticpage/ (2 files):
Also allow _ and - in custom backend template names

Thanks!

[stm999999999]

one additional question: Is there a way to make on of these admin-templates to the standard one for my blog? In the moment, every time it switches back to "simple template"

[garvinhicking]

one additional question: Is there a way to make on of these admin-templates to the standard one for my blog? In the moment, every time it switches back to "simple template"

No, currently there's no functionality for this. Maybe I can find time to implement to remember the last template in a cookie.

Regards,
Garvin

[garvinhicking]

Hi!

Implemented in 3.77, have a try if that works well for you.

Regards,
Garvin