Skip to content

Commit

Permalink
Disable Compiler fallback by default.
Browse files Browse the repository at this point in the history 
I inadvertently removed my `app/resources/tmp/cache/templates` folder
and PHP was unable to write the compiled templates in it.
Instead of throwing an exception/error, the Compiler returned the
unparsed file without telling anyone what was happening (no error, no
logs).

With `$foo; ?>` appearing on the page I quickly saw that there was a
problem but if I had `short_tags` turned on, the unescaped variable
would have been printed (hello XSS!) and I would never have noticed it.

This behavior is dangerous but needed for the diagnostic page to show
properly on a default misconfigured installation of lithium. Short tags
are purposedly avoided on its template so allowing it to use the
compiler fallback is not a security/usability threat.
  • Loading branch information
@L-P
L-P committed Jun 29, 2012
1 parent 6348782 commit a8cc0cf
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 5 deletions.
4 changes: 2 additions & 2 deletions template/view/Compiler.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ class Compiler extends \lithium\core\StaticObject {
*/
public static function template($file, array $options = array()) {
$cachePath = Libraries::get(true, 'resources') . '/tmp/cache/templates';
$defaults = array('path' => $cachePath, 'fallback' => true);
$defaults = array('path' => $cachePath, 'fallback' => false);
$options += $defaults;

$stats = stat($file);
Expand Down Expand Up @@ -95,4 +95,4 @@ public static function compile($string) {
}
}

?>
?>
6 changes: 3 additions & 3 deletions template/view/adapter/File.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ class File extends \lithium\template\view\Renderer implements \ArrayAccess {

public function __construct(array $config = array()) {
$defaults = array(
'classes' => array(), 'compile' => true, 'extract' => true, 'paths' => array()
'classes' => array(), 'compile' => true, 'compiler' => array(), 'extract' => true, 'paths' => array()
);
parent::__construct($config + $defaults);
}
Expand Down Expand Up @@ -126,7 +126,7 @@ public function template($type, array $params) {

if ($this->_compile) {
$compiler = $this->_classes['compiler'];
$path = $compiler::template($path);
$path = $compiler::template($path, $this->_config['compiler']);
}
return $path;
}
Expand Down Expand Up @@ -177,4 +177,4 @@ protected function _paths($type, array $params) {
}
}

?>
?>

0 comments on commit a8cc0cf

Please sign in to comment.