Risk in allowing developers to upload .blade files

8

I'm developing a blog platform where users submit their template and Laravel uses that template to build the blog. The user / developer will only tell you where the values will be, for example:

<h2>{{$blog->title}}</h2>

Can I allow a developer / user to make a template using the blade keys ({{e}}) without this affecting security?

    
asked by anonymous 11.11.2014 / 19:10

2 answers

13
{{var_dump(Config::get('database'))}}

And it was already ...

    
11.11.2014 / 19:59
3

In addition to the risk already mentioned above, there are countless others.

When you use $this within a view blade , you have access to the Illuminate\View\View instance.

Without countering other methods he could play around with his system.

Just to reinforce the above answer, look at another "crap" that could happen:

File::deleteDirectory('diretorio_importante_do_seu_sistema');

You could also change some configuration file, such as mail.php and make a clutter on your system:

 file_put_contents(app_path('config/mail.php'), var_export($configuracoes_malicosas, true));

Perhaps the solution in your case is to pre-process a possible template sent by a user. Or, have a lock, for someone to analyze the content of that view and only then to publish effectively.

I do not know if this is the idea, but it seems like you want to do something similar to Wordpress.

Laravel already has a CMS, I do not know if it resolves, but I'll leave the link so that you can analyze and see if it meets your need.

link

    
18.05.2016 / 15:03