Risk in allowing developers to upem files. Blade

Asked

Viewed 217 times

8

I’m developing a blog platform where users submit their template and Laravel uses this template to build the blog. The user/developer will only inform where the values will be, example:

<h2>{{$blog->title}}</h2>

I can allow a developer/user to create a template using the Lade ( {{ e }} ) keys without this affecting security?

  • 2

    Power can, it will only need to limit what will be used. As @Neto said, there will be this risk if you allow the use of Laravel’s classes and properties.

2 answers

13

{{var_dump(Config::get('database'))}}

And it’s gone...

  • 5

    I guess that’s all there is to it?

  • 2

    That was the best response I’ve seen in weeks! + 1

3

In addition to the risk already mentioned above, there are numerous others.

When you use $this within a view blade, you have access to the Illuminate\View\View.

Without contraring other methods he could play at will with his system.

Just to reinforce the above answer, see another "prank" that could happen:

File::deleteDirectory('diretorio_importante_do_seu_sistema');

It could also change some configuration file, such as the mail.php and make a mess in your system:

 file_put_contents(app_path('config/mail.php'), var_export($configuracoes_malicosas, true));

Perhaps the solution in your case is to pre-process a possible template submitted by a user. Or, to have a block, for someone to analyze the content of this view and, only then, publish effectively.

I don’t know if this is the idea, but it seems that you want to do something similar to Wordpress.

Laravel already has a CMS, I don’t know if it solves, but I’ll leave the link so you can analyze and see if it meets your need.

https://octobercms.com/

Browser other questions tagged

You are not signed in. Login or sign up in order to post.