Hi all, First, I've to say I'm amazed by Symfony2 framework. I'm a symfony user/developer since symfony1.0, so I know a little about bits and pieces about symfony, but I still think that Symfony2 looks like a better and very promising framework.
Now, I'm having this bug in the Symfony2 framework if I choose to use php as the templating engine. I was following the code in the simple "Hello World" introduction using PR11 release. I created a new "Study" bundle following the code in the book. And replace the templates with ".php" instead of ".twig" The thing is the final render() calls always add and extra character, which is digit "1". So when I tried to call: app.php/hello/Arief What will came up in the page is: "Hello, Arief! 1" instead of just: "Hello, Arief!" Investigating this issue, I noticed that in file: Symfony/Component/Templating/PhpEngine.php The extra "1" char is added when the base template (base.html.php) was filled in by the content of the hello template (HelloBundle:Default:index.html.php) At the hello template stage, there is no extra "1" char in the content, but when the base template evaluated, the char appeared in the content. I think this has something to do with the function evaluate() in that PhpEngine.php file, there is this "extract($parameters)" code before the template is required. I believe, somehow one of the extracted parameters generated this digit "1" character, I'm not sure which one, or how it happened, yet. I'd very much appreciate if anyone can help explain why is that happened and how to fixed it. If more info is required from me, I'll be happy to provide em. Here with I attached my base.html.php and index.html.php for start. Btw, when I tried to var_dump() the $parameters passed in the evaluate() function, I was a bit surprised cause it contains every parameters that Symfony has access to. There is also database connection details in that variable. I'm not a security expert, so I could be wrong about this, but I think there might be security flaw here, if an attacker could somehow trick the application to var_dump the $parameters variable everything will be exposed. To be a bit paranoid, may I suggest we create 2 parameters variables, one that can safely be passed around everywhere, and another with some sort of security perimeters. Please CMIIW on this one. Thank you for the great framework. All the best. -arief -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
<<attachment: base.html.php>>
<<attachment: index.html.php>>
