Re: [Templates] securing tt2

Sat, 31 May 2003 06:40:27 -0700 

On Fri, 30 May 2003, darren chamberlain wrote:

> > While experimenting with a tt2-enabled wiki, I discovered that many
> > plugins are much more insecure than TT2 itself. Since I do not want to
> > disinstall TT2, and since I was unable to set up an indipendent
> > installation, I started looking into the code. 
> >  
> > I propose to replace the load subroutine in Plugin.pm with 
> 
> You can modify Template::Plugins to only "know about" the plugins you
> want to support:
> 
>   use Template::Plugins;
> 
>   foreach my $bad (@untrustworthy_plugins) {
>       delete $Template::Plugins::STD_PLUGINS->{$bad};
>   }
> 
> And then those deleted plugins can't be loaded from USE (be sure that
> LOAD_PERL is not set, of course, and that PLUGIN_BASE is explicitly
> unset).
> 
> If you're really paranoid, you can simply:
> 
>   %$Template::Plugins::STD_PLUGINS = ();
> 
> Bye bye, plugins!

it does not seem to work to me. Here are the relevant parts of my code: 

------------------------------------------------------------------
$template = Template->new($config) or die "cannot start Template";              
my $usable = "dbi";
use Template::Plugins;
foreach my $plug (keys  %$Template::Plugins::STD_PLUGINS) {     
        delete $Template::Plugins::STD_PLUGINS->{$plug} unless 
                $usable =~ /\b$plug\b/;
}

print STDERR "plugins: @{[%$Template::Plugins::STD_PLUGINS]}\n";
------------------------------------------------------------------

and at this point  %$Template::Plugins::STD_PLUGINS only contains dbi, 
but if I issue a [%USE Directory%] directive in some page I can still list 
all files in my system. This does not happen with my suggested method. 

Am I missing something? 

-- 
Franco Bagnoli (franchino) <[EMAIL PROTECTED]> ([EMAIL PROTECTED])
virtual location: Dipartimento di Energetica "S. Stecco"
real location: Dip. Matematica Applicata "G. Sansone", Universita' Firenze,
Via S. Marta, 3 I-50139 Firenze, Italy. Tel. +39 0554796422, fax: +39 055471787
GPG Key fingerprint = 169D 9EA5 8FD3 7EDA E43A  9830 255F BCEC 0D63 3728


_______________________________________________
templates mailing list
[EMAIL PROTECTED]
http://lists.template-toolkit.org/mailman/listinfo/templates

Reply via email to