Permalink
Browse files

Disable Compiler fallback by default.

I inadvertently removed my `app/resources/tmp/cache/templates` folder
and PHP was unable to write the compiled templates in it.
Instead of throwing an exception/error, the Compiler returned the
unparsed file without telling anyone what was happening (no error, no
logs).

With `$foo; ?>` appearing on the page I quickly saw that there was a
problem but if I had `short_tags` turned on, the unescaped variable
would have been printed (hello XSS!) and I would never have noticed it.

This behavior is dangerous but needed for the diagnostic page to show
properly on a default misconfigured installation of lithium. Short tags
are purposedly avoided on its template so allowing it to use the
compiler fallback is not a security/usability threat.
  • Loading branch information...
1 parent 6348782 commit a8cc0cf6905ac25f6f2a1b851fb21d5b2ab9a1f5 @L-P L-P committed Jun 29, 2012
Showing with 5 additions and 5 deletions.
  1. +2 −2 template/view/Compiler.php
  2. +3 −3 template/view/adapter/File.php
@@ -53,7 +53,7 @@ class Compiler extends \lithium\core\StaticObject {
*/
public static function template($file, array $options = array()) {
$cachePath = Libraries::get(true, 'resources') . '/tmp/cache/templates';
- $defaults = array('path' => $cachePath, 'fallback' => true);
+ $defaults = array('path' => $cachePath, 'fallback' => false);
$options += $defaults;
$stats = stat($file);
@@ -95,4 +95,4 @@ public static function compile($string) {
}
}
-?>
+?>
@@ -79,7 +79,7 @@ class File extends \lithium\template\view\Renderer implements \ArrayAccess {
public function __construct(array $config = array()) {
$defaults = array(
- 'classes' => array(), 'compile' => true, 'extract' => true, 'paths' => array()
+ 'classes' => array(), 'compile' => true, 'compiler' => array(), 'extract' => true, 'paths' => array()
);
parent::__construct($config + $defaults);
}
@@ -126,7 +126,7 @@ public function template($type, array $params) {
if ($this->_compile) {
$compiler = $this->_classes['compiler'];
- $path = $compiler::template($path);
+ $path = $compiler::template($path, $this->_config['compiler']);
}
return $path;
}
@@ -177,4 +177,4 @@ protected function _paths($type, array $params) {
}
}
-?>
+?>

0 comments on commit a8cc0cf

Please sign in to comment.