'Twas brillig, and Matthew Weier O'Phinney at 18/02/09 13:07 did gyre
and gimble:
-- Colin Guthrie <[email protected]> wrote
(on Wednesday, 18 February 2009, 09:09 AM +0000):
'Twas brillig, and Wil Sinclair at 18/02/09 03:51 did gyre and gimble:
The Zend Framework team has been notified of a potential Local File
Inclusion (LFI) attack vector in Zend_View's render() method. To
address the issue, as of the 1.7.5 release the render() method no
longer accepts paths that include parent directory traversal (e.g.,
"../" and "..\") in the path argument. This introduces a regression in
behavior which can be addressed by turning off the lfiProtectionOn
flag. For more information, see:
http://framework.zend.com/manual/en/zend.view.migration.html
Interesting.
Out of curiosity, does this only apply to the values passed in to
render() or also to the script paths themselves? My base paths tend do
have ../ in them (dirname(__FILE__).'/../views' or something similar).
Obviously you'd hope the app knows best in this regard so I hope this is
permissable.
Just the paths passed to render().
The original report was actually about the paths passed to
addScriptPath(), but the examples showed using user input to specify
those paths -- which is, quite simply, a really, really bad idea in the
first place. Additionally, it's not uncommon to use relative paths when
determining the view script paths, which would have made this a
difficult hole to close.
Excellent. This validates my thinking on the subject too which makes me
feel I'm getting close to understanding all this jazz with some degree
of accuracy ;)
Cheers again.
Col
/me now wonders why the three attempts to post a new message to this
list have vaporised into the ether .... :(
--
Colin Guthrie
gmane(at)colin.guthr.ie
http://colin.guthr.ie/
Day Job:
Tribalogic Limited [http://www.tribalogic.net/]
Open Source:
Mandriva Linux Contributor [http://www.mandriva.com/]
PulseAudio Hacker [http://www.pulseaudio.org/]
Trac Hacker [http://trac.edgewall.org/]
