Security Issue In Yii (Templates)

khizar · January 14, 2014, 3:47pm

Hello Friends,

I hired a web designer to complete some html task (for new awesome theme)

And the problem was we can’t disclose, our php code of models/controller

What i had done? i created an ftp account on development machine with write permission only on view folder, from where he can edit the code,

As you know that user can run any php code and using that he can view model/controller code, to solve this issue we used a template engine named twig which is available as yii extension.

Now the security issue is that while using template engine user can read any php file by running php code inside CGridView

For example:

{{ this.widget(‘zii.widgets.grid.’,{

…

    'columns':[


        {'name':'name', 'value':'&#036;data-&gt;name.&#092;'file_get_contents(&quot;filename.php&quot;)&#092;''},


    ]


}, true) }}

Is there anyway to solve this issue?

Thanks in advance

twisted1919 · January 14, 2014, 7:04pm

Eval()'uated code will always behave like this.

khizar · January 14, 2014, 10:08pm

Thanks for reply,

Is there any workaround?

CeBe · January 15, 2014, 7:11am

Not for PHP. You might want your designer to sign an NDA so that he may see your code.

hrnair · January 15, 2014, 3:38pm

is it ok to give the html output of each page to your designer so that he can make the css?

Afterall the designers will be working with html and scripts.