Unfortunately not enough to delete or revoke permissions of page.php file.
Such URL on your site
will unhide any of those template source codes, including all php codes there:
http://www.mysite.com/cgi-bin/lsql/page.cgi?d=1&t=default_php
So the default_php should be also deleted, or moved out from the templates dir!
I think, this may have some security risks.
Alex? What do you think about this?
I assume this is a bug.
Best solution would be to add an option into Admin/Setup, so to ignore the 'default_php' directory or not. By default should ignore.
Also an easy workaround: probably in SiteHTML.pm there should be also ignored the default_php directory (only when called from *.cgi scripts), similarly as the 'admin' and 'help' directories are ignored.
Code:
sub _compile {
...
if ($template_set eq 'admin' or $template_set eq 'help') {
$template_set = $CFG->{build_default_tpl} || 'default';
}
...
}
should be:
Code:
sub _compile {
...
if ($template_set eq 'admin' or $template_set eq 'help'
or $template_set eq 'default_php') {
$template_set = $CFG->{build_default_tpl} || 'default';
}
...
}
Best regards,
Webmaster33
Paid Support from Webmaster33. Expert in Perl programming & Gossamer Threads applications. (click here for prices)
Webmaster33's products (upd.2004.09.26) | Private message | Contact me | Was my post helpful? Donate my help...