Zend View - Part 2

LFI Protection and PHAR support from TemplatePathStack

Posted on January 04, 2017

This is part two of a multi-series on using the zend-view as a stand-alone library. The code is available on https://github.com/lorenzoferrarajr/zend-view-examples.

Other parts:

LFI Protection

The TemplatePathStack resolver by default is configured so that you can't use parent directory traversal in the view paths. This means you can't use ../ or ..\ when referencing a view.

This limit is imposed for security reasons. The feature is called LFI protection (Local File Inclusion Protection) and it's implemented because one must not be able to reference files outside a predefined root.

LFI protection can be disabled via configuration. The TemplatePathStack accepts an option key named lfi_protection which can be set to false:

$resolver = new \Zend\View\Resolver\TemplatePathStack([
    'script_paths' => [
        'view/',
    ],
    'lfi_protection' => false
]);

Without the previous configuration, any of the following calls to the render method would have failed:

$renderer = new \Zend\View\Renderer\PhpRenderer();
$renderer->setResolver($resolver);
$content = $renderer->render('sub1/../../view/view-1');
$content = $renderer->render('../view/view-1');

Just for clarity: if the view script file path starts with a slash, it means that the actual file will be searched starting from the script_paths roots configured in the TemplatePathStack, not the root of the hard drive.

PHAR support

Another feature of the TemplatePathStack resolver is the support of phar files. These files are treated as source paths and are configured just as the directories:

$resolver = new \Zend\View\Resolver\TemplatePathStack([
    'script_paths' => [
        'phar://'.__DIR__.'/view.phar',
    ],
]);

View scripts contained in the phar file are rendered just as the other view scripts.