8
I’m developing a blog platform where users submit their template and Laravel uses this template to build the blog. The user/developer will only inform where the values will be, example:
<h2>{{$blog->title}}</h2>
I can allow a developer/user to create a template using the Lade ( {{ e }} ) keys without this affecting security?
13
{{var_dump(Config::get('database'))}}
And it’s gone...
I guess that’s all there is to it?
That was the best response I’ve seen in weeks! + 1
3
In addition to the risk already mentioned above, there are numerous others.
When you use $this within a view blade, you have access to the Illuminate\View\View.
Without contraring other methods he could play at will with his system.
Just to reinforce the above answer, see another "prank" that could happen:
File::deleteDirectory('diretorio_importante_do_seu_sistema');
It could also change some configuration file, such as the mail.php and make a mess in your system:
file_put_contents(app_path('config/mail.php'), var_export($configuracoes_malicosas, true));
Perhaps the solution in your case is to pre-process a possible template submitted by a user. Or, to have a block, for someone to analyze the content of this view and, only then, publish effectively.
I don’t know if this is the idea, but it seems that you want to do something similar to Wordpress.
Laravel already has a CMS, I don’t know if it solves, but I’ll leave the link so you can analyze and see if it meets your need.
Browser other questions tagged php laravel security-guard framework laravel-blade
You are not signed in. Login or sign up in order to post.
Power can, it will only need to limit what will be used. As @Neto said, there will be this risk if you allow the use of Laravel’s classes and properties.
– Papa Charlie