Note: Resend this message, removing attachment now. On Wed, Apr 20, 2011 at 2:24 AM, Arief M Utama <[email protected]>wrote:
> Hi all, > > First, I've to say I'm amazed by Symfony2 framework. I'm a symfony > user/developer since symfony1.0, so I know a little about bits and pieces > about symfony, but I still think that Symfony2 looks like a better and very > promising framework. > > Now, I'm having this bug in the Symfony2 framework if I choose to use php > as the templating engine. > > I was following the code in the simple "Hello World" introduction using > PR11 release. I created a new "Study" bundle following the code in the book. > And replace the templates with ".php" instead of ".twig" > > The thing is the final render() calls always add and extra character, > which is digit "1". > > So when I tried to call: > > app.php/hello/Arief > > What will came up in the page is: > > "Hello, Arief! 1" > > instead of just: > > "Hello, Arief!" > > Investigating this issue, I noticed that in file: > > Symfony/Component/Templating/PhpEngine.php > > The extra "1" char is added when the base template (base.html.php) was > filled in by the content of the hello template > (HelloBundle:Default:index.html.php) > > At the hello template stage, there is no extra "1" char in the content, but > when the base template evaluated, the char appeared in the content. > > I think this has something to do with the function evaluate() in that > PhpEngine.php file, there is this "extract($parameters)" code before the > template is required. I believe, somehow one of the extracted parameters > generated this digit "1" character, I'm not sure which one, or how it > happened, yet. > > I'd very much appreciate if anyone can help explain why is that happened > and how to fixed it. If more info is required from me, I'll be happy to > provide em. Here with I attached my base.html.php and index.html.php for > start. > > Btw, when I tried to var_dump() the $parameters passed in the evaluate() > function, I was a bit surprised cause it contains every parameters that > Symfony has access to. There is also database connection details in that > variable. > > I'm not a security expert, so I could be wrong about this, but I think > there might be security flaw here, if an attacker could somehow trick the > application to var_dump the $parameters variable everything will be exposed. > > To be a bit paranoid, may I suggest we create 2 parameters variables, one > that can safely be passed around everywhere, and another with some sort of > security perimeters. Please CMIIW on this one. > > Thank you for the great framework. > > > All the best. > -arief > > > > -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
