Jump to content

Changes to template formats for security


Nabeel

Recommended Posts

  • Administrators

Due to some... bad decisions... I made when starting phpVMS, template files are pretty much plain-text. Even though I've posted instructions, and included in the default install instructions on how to add the .htaccess, there's still ways of getting someone's template files. This is causing all sorts of problems with theft.

So what I'm thinking of doing are two things:

  1. Renaming all template files from. tpl to .php - this allows for the PHP code to be hidden
  2. Adding a code-check to make sure phpVMS is calling the template, and if not, nothing shows

This will be a backwards incompatible change, but I feel like it's worth it. The second part to this is - I will include instructions on how to do this for your current install.

I want to make other drastic changes to templates (mainly organization and moving them around), but I don't know if this is worth it - mainly organizing the templates by module in separate folders (which is the standard of how it's done).

What are people's thoughts on this? Any guinea pigs?

Link to comment
Share on other sites

  • Moderators

Interesting...

I never knew how our .htaccess is secured that much and the way people are getting the skin code. From what you are thinking about doing, I think this is a good idea, I mean really becasue it'll stop all of the skin theft much likely.

I can see this could take time to make it work fully, whenever you need the time, take your time.

So, I think this will be 100% worth it to stop the theft because browsers can't read php files, but tpl can be read but if we set our .htaccess properly.

Cheers!

Link to comment
Share on other sites

  • Administrators

Wow, there's going to be a lot of changed code - I'm okay with that for the next release. But if someone wants to retrofit this, as per my instructions, it'll be a ***** to do. But I can put in a code change to help that too. I thought I had remove template extension from render calls, but apparently not. I can do a code-change where it finds a .tpl and strips but, but all these lines will have to be changed:

http://pastebin.com/JTZTbBsE

Completely agree with changing to .php, however how would part 2 work?

In the config file, adding a define() for something like IN_PHPVMS.

define('IN_PHPVMS', true);

Then in every template file (which is a *****):

if(!defined('IN_PHPVMS') && IN_PHPVMS !== true) {
 die();
}

Link to comment
Share on other sites

  • Administrators

Can you try out the changes listed in the ticket?

https://github.com/nshahzad/phpVMS/issues/71

Comment there directly.

Also, access the acarsmap.php directly via the URL - what do you see?

Then if you add to that file, the very first line

<?php if(!defined('IN_PHPVMS') && IN_PHPVMS !== true) { die(); } ?>

Is it blank? I don't have access to my webserver ATM to check that.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...