Security Breach through Template::Toolkit

Sixtease has asked for the wisdom of the Perl Monks concerning the following question:

Fellow Monks,

I'd like to let the users of my web app customize their pages. Perlmonks does something similar by letting me write my own CSS. I'd like to go one step further and let them write their own template with Template::Toolkit.

I know though that Template can be configured to enable processing of Perl code within the templates, which would of course be an open gate for bad guys.

Can Template::Toolkit be configured to only allow "safe" things done in the templates? Do you think this whole idea is reasonably realizable?

use strict; use warnings; print "Just Another Perl Hacker\n";

Comment on Security Breach through Template::Toolkit

Replies are listed 'Best First'.
Re: Security Breach through Template::Toolkit by stonecolddevin (Parson) on Nov 11, 2008 at 08:35 UTC
Sure. Check out the plethora of filters that come standard. There's also this one, and StripScripts. meh.	[reply]
Re: Security Breach through Template::Toolkit by moritz (Cardinal) on Nov 11, 2008 at 08:41 UTC
It's not a mere matter of configuring Template. If you pass an object to your template, the template can call arbitrary (public) methods on it. So if you pass a DBIx::Class object to the template, it might be possible for the user to query your DB for things you didn't want to reveal to them. Or if you have defined some many-to-many relations the user could walk through all these relations, issuing many DB queries and thus degrading performance. Maybe that can be prohibited somehow, but it's a danger you have to be aware of.	[reply]
Re^2: Security Breach through Template::Toolkit by dragonchild (Archbishop) on Nov 11, 2008 at 18:22 UTC
More importantly, every good ORM allows you to access the entire database from any object provided by that ORM. That sort of reflection is considered to be a feature. My criteria for good software: Does it work? Can someone else come in, make a change, and be reasonably certain no bugs were introduced?	[reply]
Re: Security Breach through Template::Toolkit by Sixtease (Friar) on Nov 11, 2008 at 10:08 UTC
Yeah well, I'm starting to see that Template::Toolkit might be just a little too powerful. Let alone the STDOUT filter could bloat the output of my app. Users can create complex data structures and print them repeatedly, so I see ways of loading the server with lots of work. Maybe HTML::Template would be better. But the comfort is far from that which TT provides. use strict; use warnings; print "Just Another Perl Hacker\n";	[reply]
Re^2: Security Breach through Template::Toolkit by moritz (Cardinal) on Nov 11, 2008 at 15:50 UTC
Maybe HTML::Template::Compiled might be a compromise? It offers a few features that HTML::Template doesn't have (it's maintained, it offers caching, a less verbose tag style, loops over hashes, sane handling of character encodings etc) without providing TT's full power.	[reply]


Keep It Simple, Stupid
	PerlMonks