openrat-cms

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs

commit ba02c07b66dd2a81780475f62bf03588ffedf89c
parent 8083e397b429e17dfaf1bedf3ecc6edfe296879c
Author: dankert <devnull@localhost>
Date:   Fri, 15 May 2009 23:35:49 +0200

Per Konfiguration ist es möglich, das Ausführen von dynamischem PHP-code zu deaktivieren.

Diffstat:
config/security.ini.php | 9+++++++++
objectClasses/Value.class.php | 3+++
2 files changed, 12 insertions(+), 0 deletions(-)

diff --git a/config/security.ini.php b/config/security.ini.php @@ -29,6 +29,15 @@ chmod= ; Example: '0770' (means 'drwxrwx---') chmod_dir= +; You may disable dynamic code. +; dynamic code ("CODE"-Elements in templates) are dangerous, because they may +; interact with the file system (and much more!). +; +; Hint: only admin users are allowed to save dynamic code. +; Enable, if admin users are trustful. +; Disable, if admin users are anonym (f.e. demo-installations). +; Default: true (for secure default installation). +disable_dynamic_code = true ; Default Login diff --git a/objectClasses/Value.class.php b/objectClasses/Value.class.php @@ -849,6 +849,9 @@ SQL if ( $this->page->simple ) break; + if ( $conf['security']['disable_dynamic_code'] ) + break; + $this->page->load(); $code = new Code();