Administrators Nabeel Posted July 16, 2012 Administrators Report Posted July 16, 2012 Due to some... bad decisions... I made when starting phpVMS, template files are pretty much plain-text. Even though I've posted instructions, and included in the default install instructions on how to add the .htaccess, there's still ways of getting someone's template files. This is causing all sorts of problems with theft. So what I'm thinking of doing are two things: Renaming all template files from. tpl to .php - this allows for the PHP code to be hidden Adding a code-check to make sure phpVMS is calling the template, and if not, nothing shows This will be a backwards incompatible change, but I feel like it's worth it. The second part to this is - I will include instructions on how to do this for your current install. I want to make other drastic changes to templates (mainly organization and moving them around), but I don't know if this is worth it - mainly organizing the templates by module in separate folders (which is the standard of how it's done). What are people's thoughts on this? Any guinea pigs? Quote
Moderators Kyle Posted July 16, 2012 Moderators Report Posted July 16, 2012 Interesting... I never knew how our .htaccess is secured that much and the way people are getting the skin code. From what you are thinking about doing, I think this is a good idea, I mean really becasue it'll stop all of the skin theft much likely. I can see this could take time to make it work fully, whenever you need the time, take your time. So, I think this will be 100% worth it to stop the theft because browsers can't read php files, but tpl can be read but if we set our .htaccess properly. Cheers! Quote
Administrators Nabeel Posted July 16, 2012 Author Administrators Report Posted July 16, 2012 https://github.com/nshahzad/phpVMS/issues/71 Quote
James142 Posted July 16, 2012 Report Posted July 16, 2012 Im sure it would be worth the time it takes to make these changes if it puts a stop to the theft. Quote
Tom Posted July 16, 2012 Report Posted July 16, 2012 Completely agree with changing to .php, however how would part 2 work? Quote
Administrators Nabeel Posted July 16, 2012 Author Administrators Report Posted July 16, 2012 Wow, there's going to be a lot of changed code - I'm okay with that for the next release. But if someone wants to retrofit this, as per my instructions, it'll be a ***** to do. But I can put in a code change to help that too. I thought I had remove template extension from render calls, but apparently not. I can do a code-change where it finds a .tpl and strips but, but all these lines will have to be changed: http://pastebin.com/JTZTbBsE Completely agree with changing to .php, however how would part 2 work? In the config file, adding a define() for something like IN_PHPVMS. define('IN_PHPVMS', true); Then in every template file (which is a *****): if(!defined('IN_PHPVMS') && IN_PHPVMS !== true) { die(); } Quote
Administrators Nabeel Posted July 16, 2012 Author Administrators Report Posted July 16, 2012 I'm going through this right now and documenting it in/through github. I'll have full instructions and you guys can test it, that'd be great. Quote
Moderators Kyle Posted July 16, 2012 Moderators Report Posted July 16, 2012 Count me in! I'll be happy to test it out for you. Quote
Administrators Nabeel Posted July 16, 2012 Author Administrators Report Posted July 16, 2012 Can you try out the changes listed in the ticket? https://github.com/nshahzad/phpVMS/issues/71 Comment there directly. Also, access the acarsmap.php directly via the URL - what do you see? Then if you add to that file, the very first line <?php if(!defined('IN_PHPVMS') && IN_PHPVMS !== true) { die(); } ?> Is it blank? I don't have access to my webserver ATM to check that. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.