'Twas brillig, and Wil Sinclair at 18/02/09 03:51 did gyre and gimble:
The Zend Framework team has been notified of a potential Local File
Inclusion (LFI) attack vector in Zend_View's render() method. To address
the issue, as of the 1.7.5 release the render() method no longer accepts
paths that include parent directory traversal (e.g., "../" and "..\") in
the path argument. This introduces a regression in behavior which can be
addressed by turning off the lfiProtectionOn flag. For more information,
see:
http://framework.zend.com/manual/en/zend.view.migration.html
Interesting.
Out of curiosity, does this only apply to the values passed in to
render() or also to the script paths themselves? My base paths tend do
have ../ in them (dirname(__FILE__).'/../views' or something similar).
Obviously you'd hope the app knows best in this regard so I hope this is
permissable.
I'll have a play later this week and find out :)
Col
--
Colin Guthrie
gmane(at)colin.guthr.ie
http://colin.guthr.ie/
Day Job:
Tribalogic Limited [http://www.tribalogic.net/]
Open Source:
Mandriva Linux Contributor [http://www.mandriva.com/]
PulseAudio Hacker [http://www.pulseaudio.org/]
Trac Hacker [http://trac.edgewall.org/]
