Hello,
I've got to put the flag (to "false") into bootstrap because I've a lot of
forms with " array('viewScript' => '../helpers/edit.phtml'," and I'm in a
hurry to deliver the app to production stage. I'm sure this is a bad
practice (? or can I leave it so...).
In other hand, I'm reading about LFI but don't understand where to fit this
into a situation where a user can set the script path. Could you explain a
real scenario where the user provides this (the script path where he wants
to go)?
Thank you so much.
wllm wrote:
>
> The Zend Framework team has been notified of a potential Local File
> Inclusion (LFI) attack vector in Zend_View's render() method. To address
> the issue, as of the 1.7.5 release the render() method no longer accepts
> paths that include parent directory traversal (e.g., "../" and "..\") in
> the path argument. This introduces a regression in behavior which can be
> addressed by turning off the lfiProtectionOn flag. For more information,
> see:
>
>
>
> http://framework.zend.com/manual/en/zend.view.migration.html
>
>
>
> If this advisory does not affect your applications, please disregard. We
> take security very seriously and will continue to notify all users when
> a security fault is discovered.
>
>
>
> Thank you.
>
>
>
> ,Wil
>
>
>
--
View this message in context:
http://www.nabble.com/SECURITY-ADVISORY-tp22071709p22117311.html
Sent from the Zend Framework mailing list archive at Nabble.com.
