Hi all,
I'm resending this again to symfony-users, just realized that
symfony-devs is moderated.
First, I've to say I'm amazed by Symfony2 framework. I'm a symfony
user/developer since symfony1.0, so I know a little about bits and
pieces about symfony, but I still think that Symfony2 looks like a
better and very promising framework.
Now, I'm having this bug in the Symfony2 framework if I choose to use
php as the templating engine.
I was following the code in the simple "Hello World" introduction using
PR11 release. I created a new "Study" bundle following the code in the
book. And replace the templates with ".php" instead of ".twig"
The thing is the final render() calls always add and extra character,
which is digit "1".
So when I tried to call:
app.php/hello/Arief
What will came up in the page is:
"Hello, Arief! 1"
instead of just:
"Hello, Arief!"
Investigating this issue, I noticed that in file:
Symfony/Component/Templating/PhpEngine.php
The extra "1" char is added when the base template (base.html.php) was
filled in by the content of the hello template
(HelloBundle:Default:index.html.php)
At the hello template stage, there is no extra "1" char in the content,
but when the base template evaluated, the char appeared in the content.
I think this has something to do with the function evaluate() in that
PhpEngine.php file, there is this "extract($parameters)" code before
the template is required. I believe, somehow one of the extracted
parameters generated this digit "1" character, I'm not sure which one,
or how it happened, yet.
I'd very much appreciate if anyone can help explain why is that happened
and how to fixed it. If more info is required from me, I'll be happy to
provide em. I was trying to attch my base.html.php and index.html.php
but somehow my mail cant get thru with em.
Btw, when I tried to var_dump() the $parameters passed in the evaluate()
function, I was a bit surprised cause it contains every parameters that
Symfony has access to. There is also database connection details in that
variable.
I'm not a security expert, so I could be wrong about this, but I think
there might be security flaw here, if an attacker could somehow trick
the application to var_dump the $parameters variable everything will be
exposed.
To be a bit paranoid, may I suggest we create 2 parameters variables,
one that can safely be passed around everywhere, and another with some
sort of security perimeters. Please CMIIW on this one.
Thank you for the great framework.
All the best.
-arief
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony users" group.
To post to this group, send email to symfony-users@googlegroups.com
To unsubscribe from this group, send email to
symfony-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en