-- Colin Guthrie <[email protected]> wrote (on Wednesday, 18 February 2009, 09:09 AM +0000): > 'Twas brillig, and Wil Sinclair at 18/02/09 03:51 did gyre and gimble: >> The Zend Framework team has been notified of a potential Local File >> Inclusion (LFI) attack vector in Zend_View's render() method. To >> address the issue, as of the 1.7.5 release the render() method no >> longer accepts paths that include parent directory traversal (e.g., >> "../" and "..\") in the path argument. This introduces a regression in >> behavior which can be addressed by turning off the lfiProtectionOn >> flag. For more information, see: >> >> http://framework.zend.com/manual/en/zend.view.migration.html > > Interesting. > > Out of curiosity, does this only apply to the values passed in to > render() or also to the script paths themselves? My base paths tend do > have ../ in them (dirname(__FILE__).'/../views' or something similar). > Obviously you'd hope the app knows best in this regard so I hope this is > permissable.
Just the paths passed to render(). The original report was actually about the paths passed to addScriptPath(), but the examples showed using user input to specify those paths -- which is, quite simply, a really, really bad idea in the first place. Additionally, it's not uncommon to use relative paths when determining the view script paths, which would have made this a difficult hole to close. Thus, the patch is for the render() method only (actually, it happens in the _script() protected method, but that's only ever called by render()). > I'll have a play later this week and find out :) -- Matthew Weier O'Phinney Software Architect | [email protected] Zend Framework | http://framework.zend.com/
