Changes to template formats for security

[Nabeel]

Due to some... bad decisions... I made when starting phpVMS, template files are pretty much plain-text. Even though I've posted instructions, and included in the default install instructions on how to add the .htaccess, there's still ways of getting someone's template files. This is causing all sorts of problems with theft.

So what I'm thinking of doing are two things:

1. Renaming all template files from. tpl to .php - this allows for the PHP code to be hidden
   
2. Adding a code-check to make sure phpVMS is calling the template, and if not, nothing shows
   

This will be a backwards incompatible change, but I feel like it's worth it. The second part to this is - I will include instructions on how to do this for your current install.

I want to make other drastic changes to templates (mainly organization and moving them around), but I don't know if this is worth it - mainly organizing the templates by module in separate folders (which is the standard of how it's done).

What are people's thoughts on this? Any guinea pigs?

[Kyle]

Interesting...

I never knew how our .htaccess is secured that much and the way people are getting the skin code. From what you are thinking about doing, I think this is a good idea, I mean really becasue it'll stop all of the skin theft much likely.

I can see this could take time to make it work fully, whenever you need the time, take your time.

So, I think this will be 100% worth it to stop the theft because browsers can't read php files, but tpl can be read but if we set our .htaccess properly.

Cheers!

[Nabeel]

https://github.com/nshahzad/phpVMS/issues/71

[James142]

Im sure it would be worth the time it takes to make these changes if it puts a stop to the theft.

[Tom]

Completely agree with changing to .php, however how would part 2 work?

[Nabeel]

Wow, there's going to be a lot of changed code - I'm okay with that for the next release. But if someone wants to retrofit this, as per my instructions, it'll be a ***** to do. But I can put in a code change to help that too. I thought I had remove template extension from render calls, but apparently not. I can do a code-change where it finds a .tpl and strips but, but all these lines will have to be changed:

http://pastebin.com/JTZTbBsE

Completely agree with changing to .php, however how would part 2 work?

In the config file, adding a define() for something like IN_PHPVMS.

define('IN_PHPVMS', true);

Then in every template file (which is a *****):

if(!defined('IN_PHPVMS') && IN_PHPVMS !== true) {
 die();
}

[Nabeel]

I'm going through this right now and documenting it in/through github. I'll have full instructions and you guys can test it, that'd be great.

[Kyle]

Count me in!

I'll be happy to test it out for you.

[Nabeel]

Can you try out the changes listed in the ticket?

https://github.com/nshahzad/phpVMS/issues/71

Comment there directly.

Also, access the acarsmap.php directly via the URL - what do you see?

Then if you add to that file, the very first line

<?php if(!defined('IN_PHPVMS') && IN_PHPVMS !== true) { die(); } ?>

Is it blank? I don't have access to my webserver ATM to check that.