Yii Framework Forum: Security Issue In Yii (Templates) - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Security Issue In Yii (Templates) Rate Topic: -----

#1 User is offline   khizar 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 5
  • Joined: 04-December 13

Posted 14 January 2014 - 10:47 AM

Hello Friends,

I hired a web designer to complete some html task (for new awesome theme)

And the problem was we can't disclose, our php code of models/controller

What i had done? i created an ftp account on development machine with write permission only on view folder, from where he can edit the code,

As you know that user can run any php code and using that he can view model/controller code, to solve this issue we used a template engine named twig which is available as yii extension.

Now the security issue is that while using template engine user can read any php file by running php code inside CGridView

For example:
{{ this.widget('zii.widgets.grid.',{
......
......
'columns':[
{'name':'name', 'value':'$data->name.\'file_get_contents("filename.php")\''},
]
}, true) }}

Is there anyway to solve this issue?

Thanks in advance
0

#2 User is offline   twisted1919 

  • Master Member
  • PipPipPipPip
  • Yii
  • Group: Members
  • Posts: 643
  • Joined: 23-October 10
  • Location:Romania

Posted 14 January 2014 - 02:04 PM

Eval()'uated code will always behave like this.
0

#3 User is offline   khizar 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 5
  • Joined: 04-December 13

Posted 14 January 2014 - 05:08 PM

View Posttwisted1919, on 14 January 2014 - 02:04 PM, said:

Eval()'uated code will always behave like this.


Thanks for reply,
Is there any workaround?
0

#4 User is offline   CeBe 

  • Advanced Member
  • Yii
  • Group: Yii Dev Team
  • Posts: 532
  • Joined: 16-July 10
  • Location:Berlin. Germany

Posted 15 January 2014 - 02:11 AM

Not for PHP. You might want your designer to sign an NDA so that he may see your code.
0

#5 User is offline   hrnair 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 29
  • Joined: 09-December 12

Posted 15 January 2014 - 10:38 AM

is it ok to give the html output of each page to your designer so that he can make the css?

Afterall the designers will be working with html and scripts.
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users