Closed 123andy closed 10 months ago
Hi Andy,
I think that's reasonable. I added Smarty a LONG time ago on recommendation from a REDCapCon presentation and I've felt for a while now that it could probably be removed/replaced by something different.
I'd be happy to push an update if you have a quick fix, otherwise it will likely become a non-issue whenever I manage to find the time to do some larger code cleanup.
I don't have a fix... I'm mainly bringing it up for a discussion and that someone pointed out a security exploit in an older version of smarty...
Module no longer uses Smarty
Hi there,
I did a clean install and saw that the module attempted to create a 'templates_c' directory and then writes to this directory on the first execution. Is that correct? While it was never codified, I sort of feel like module folders shouldn't be used for file storage due to the potential for abuse - e.g. adding a php file to the file system... Any thoughts on this? Is there a more secure way? Should the files be written elsewhere outside of the webroot and proxied?