commit ba02c07b66dd2a81780475f62bf03588ffedf89c
parent 8083e397b429e17dfaf1bedf3ecc6edfe296879c
Author: dankert <devnull@localhost>
Date: Fri, 15 May 2009 23:35:49 +0200
Per Konfiguration ist es möglich, das Ausführen von dynamischem PHP-code zu deaktivieren.
Diffstat:
2 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/config/security.ini.php b/config/security.ini.php
@@ -29,6 +29,15 @@ chmod=
; Example: '0770' (means 'drwxrwx---')
chmod_dir=
+; You may disable dynamic code.
+; dynamic code ("CODE"-Elements in templates) are dangerous, because they may
+; interact with the file system (and much more!).
+;
+; Hint: only admin users are allowed to save dynamic code.
+; Enable, if admin users are trustful.
+; Disable, if admin users are anonym (f.e. demo-installations).
+; Default: true (for secure default installation).
+disable_dynamic_code = true
; Default Login
diff --git a/objectClasses/Value.class.php b/objectClasses/Value.class.php
@@ -849,6 +849,9 @@ SQL
if ( $this->page->simple )
break;
+ if ( $conf['security']['disable_dynamic_code'] )
+ break;
+
$this->page->load();
$code = new Code();