Secury risk: Allow php in templates?

jaap_nl · Post by **jaap_nl** » Thu Sep 01, 2011 8:59 am

I want to set "Allow php in templates" to 'yes' in admin, because I want to add banners besides my forum (in overal_header.html)

However, I read on several places that setting "Allow php in templates" to yes is discouraged, and that there might me a security issue.
Now my question is: is this true?

And, if there is a risk, why isn't there a way on enabling php ONLY in overal_header.html and overal_header.html? (since this the place where an end user wants to include custom files)

What is yoiur opinion about this?

Best regards,
Jaap

Pit$Bull · Post by **Pit$Bull** » Thu Sep 01, 2011 11:11 am

If it were a security risk this option wouldn't be included.

jaap_nl · Post by **jaap_nl** » Thu Sep 01, 2011 2:04 pm

Thank you pit$bull.
Is there anyone from the phpbb3-development community who can confirm this,
or are you yourself a phpbb3-developer?
I think that there are a lot of people with this question!
Best regards Jaap

Pit$Bull · Post by **Pit$Bull** » Thu Sep 01, 2011 2:10 pm

phpBB includes no options that will allow a security risk.
You can post to the Security Tracker

igorw · Post by **igorw** » Thu Sep 01, 2011 2:17 pm

Enabling the 'allow php in templates' option is not a security risk per-se, but it is discouragedfor a number of reasons.

We want to prevent MOD authors from making MODs that put PHP code into templates. The whole point of templates is to separate output from business logic. This means separating the PHP code from the HTML.
Users can mis-use this feature and mindlessly copy-paste scripts into their templates. Lots of the scripts out there have major security issues.
By encouraging users to use MODs from the customisation database, we can make sure they get secure code, because we review everything thoroughly before it is accepted.

You can still enable the feature, and if you know what you're doing, it can be convenient. But it is discouraged.

jaap_nl · Post by **jaap_nl** » Fri Sep 02, 2011 7:25 am

Hi igorw, thanks for the clarification.
So, to conclude: if my php-includes are safe by themselves, and do not interfere with phpbb,
it is ok to do, to customize one specific phpbb application?
Best regards,
Jaap

igorw · Post by **igorw** » Fri Sep 02, 2011 11:39 am

Yes.

You need to use the  and  /* your code */  tags.

jaap_nl · Post by **jaap_nl** » Sun Sep 04, 2011 2:54 pm

ok thanks igor!
best regards Jaap

advertisements