Secury risk: Allow php in templates?

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Anti-Spam Guide
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
Locked
jaap_nl
Registered User
Posts: 43
Joined: Mon May 18, 2009 11:25 am

Secury risk: Allow php in templates?

Post by jaap_nl »

I want to set "Allow php in templates" to 'yes' in admin, because I want to add banners besides my forum (in overal_header.html)

However, I read on several places that setting "Allow php in templates" to yes is discouraged, and that there might me a security issue.
Now my question is: is this true?

And, if there is a risk, why isn't there a way on enabling php ONLY in overal_header.html and overal_header.html? (since this the place where an end user wants to include custom files)

What is yoiur opinion about this?

Best regards,
Jaap
Pit$Bull
Former Team Member
Posts: 23099
Joined: Sat Dec 02, 2006 4:08 pm
Name: Can't Remember

Re: Secury risk: Allow php in templates?

Post by Pit$Bull »

If it were a security risk this option wouldn't be included.
jaap_nl
Registered User
Posts: 43
Joined: Mon May 18, 2009 11:25 am

Re: Secury risk: Allow php in templates?

Post by jaap_nl »

Thank you pit$bull.
Is there anyone from the phpbb3-development community who can confirm this,
or are you yourself a phpbb3-developer?
I think that there are a lot of people with this question!
Best regards Jaap
-
Pit$Bull
Former Team Member
Posts: 23099
Joined: Sat Dec 02, 2006 4:08 pm
Name: Can't Remember

Re: Secury risk: Allow php in templates?

Post by Pit$Bull »

phpBB includes no options that will allow a security risk.
You can post to the Security Tracker
User avatar
igorw
Former Team Member
Posts: 8024
Joined: Fri Dec 16, 2005 12:23 pm
Location: {postrow.POSTER_FROM}
Name: Igor Wiedler

Re: Secury risk: Allow php in templates?

Post by igorw »

Enabling the 'allow php in templates' option is not a security risk per-se, but it is discouragedfor a number of reasons.
  • We want to prevent MOD authors from making MODs that put PHP code into templates. The whole point of templates is to separate output from business logic. This means separating the PHP code from the HTML.
  • Users can mis-use this feature and mindlessly copy-paste scripts into their templates. Lots of the scripts out there have major security issues.
  • By encouraging users to use MODs from the customisation database, we can make sure they get secure code, because we review everything thoroughly before it is accepted.
You can still enable the feature, and if you know what you're doing, it can be convenient. But it is discouraged.
Igor Wiedler | area51 | GitHub | trashbin | Formerly known as evil less than three
jaap_nl
Registered User
Posts: 43
Joined: Mon May 18, 2009 11:25 am

Re: Secury risk: Allow php in templates?

Post by jaap_nl »

Hi igorw, thanks for the clarification.
So, to conclude: if my php-includes are safe by themselves, and do not interfere with phpbb,
it is ok to do, to customize one specific phpbb application?
Best regards,
Jaap
-
User avatar
igorw
Former Team Member
Posts: 8024
Joined: Fri Dec 16, 2005 12:23 pm
Location: {postrow.POSTER_FROM}
Name: Igor Wiedler

Re: Secury risk: Allow php in templates?

Post by igorw »

Yes.

You need to use the <!-- INCLUDEPHP yourfile.php --> and <!-- PHP --> /* your code */ <!-- ENDPHP --> tags.
Igor Wiedler | area51 | GitHub | trashbin | Formerly known as evil less than three
jaap_nl
Registered User
Posts: 43
Joined: Mon May 18, 2009 11:25 am

Re: Secury risk: Allow php in templates?

Post by jaap_nl »

ok thanks igor!
best regards Jaap
-
Locked

Return to “[3.0.x] Support Forum”