tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #1182 from chillu/pulls/showtemplate-admin-ss3

Browse Source 
API Require ADMIN for ?showtemplate=1 (3.0)
This commit is contained in:
Sean Harvey 2013-02-12 15:07:34 -08:00
commit b25b6d4769
2 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/en/changelogs/3.0.4.md
View File

@ -3,6 +3,14 @@
## Overview ## Overview
* Changed `dev/tests/setdb` and `dev/tests/startsession` from session to cookie storage. * Changed `dev/tests/setdb` and `dev/tests/startsession` from session to cookie storage.
* Require ADMIN permissions for `?showtemplate=1`
## Details
### Require ADMIN permissions for `?showtemplate=1`
Avoids information leakage of compiled template data,
which might expose some of the internal template logic.
## Upgrading ## Upgrading

2
view/SSViewer.php
View File

@ -821,7 +821,7 @@ class SSViewer {
* @return string - The result of executing the template * @return string - The result of executing the template
*/ */
protected function includeGeneratedTemplate($cacheFile, $item, $overlay, $underlay) { protected function includeGeneratedTemplate($cacheFile, $item, $overlay, $underlay) {
if(isset($_GET['showtemplate']) && $_GET['showtemplate']) { if(isset($_GET['showtemplate']) && $_GET['showtemplate'] && Permission::check('ADMIN')) {
$lines = file($cacheFile); $lines = file($cacheFile);
echo "<h2>Template: $cacheFile</h2>"; echo "<h2>Template: $cacheFile</h2>";
echo "<pre>"; echo "<pre>";