Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things

Security Breach through Template::Toolkit

by Sixtease (Friar)
on Nov 11, 2008 at 08:31 UTC ( #722806=perlquestion: print w/replies, xml ) Need Help??
Sixtease has asked for the wisdom of the Perl Monks concerning the following question:

Fellow Monks,

I'd like to let the users of my web app customize their pages. Perlmonks does something similar by letting me write my own CSS. I'd like to go one step further and let them write their own template with Template::Toolkit.

I know though that Template can be configured to enable processing of Perl code within the templates, which would of course be an open gate for bad guys.

Can Template::Toolkit be configured to only allow "safe" things done in the templates? Do you think this whole idea is reasonably realizable?

use strict; use warnings; print "Just Another Perl Hacker\n";
  • Comment on Security Breach through Template::Toolkit

Replies are listed 'Best First'.
Re: Security Breach through Template::Toolkit
by stonecolddevin (Vicar) on Nov 11, 2008 at 08:35 UTC
Re: Security Breach through Template::Toolkit
by moritz (Cardinal) on Nov 11, 2008 at 08:41 UTC
    It's not a mere matter of configuring Template. If you pass an object to your template, the template can call arbitrary (public) methods on it.

    So if you pass a DBIx::Class object to the template, it might be possible for the user to query your DB for things you didn't want to reveal to them. Or if you have defined some many-to-many relations the user could walk through all these relations, issuing many DB queries and thus degrading performance.

    Maybe that can be prohibited somehow, but it's a danger you have to be aware of.

      More importantly, every good ORM allows you to access the entire database from any object provided by that ORM. That sort of reflection is considered to be a feature.

      My criteria for good software:
      1. Does it work?
      2. Can someone else come in, make a change, and be reasonably certain no bugs were introduced?
Re: Security Breach through Template::Toolkit
by Sixtease (Friar) on Nov 11, 2008 at 10:08 UTC

    Yeah well, I'm starting to see that Template::Toolkit might be just a little too powerful. Let alone the STDOUT filter could bloat the output of my app. Users can create complex data structures and print them repeatedly, so I see ways of loading the server with lots of work.

    Maybe HTML::Template would be better. But the comfort is far from that which TT provides.

    use strict; use warnings; print "Just Another Perl Hacker\n";
      Maybe HTML::Template::Compiled might be a compromise? It offers a few features that HTML::Template doesn't have (it's maintained, it offers caching, a less verbose tag style, loops over hashes, sane handling of character encodings etc) without providing TT's full power.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://722806]
Approved by ikegami
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others chilling in the Monastery: (7)
As of 2018-01-17 10:59 GMT
Find Nodes?
    Voting Booth?
    How did you see in the new year?

    Results (198 votes). Check out past polls.