MyBB Community Forums

In 1.6.4, the templates system has changed to disallow certain variables. This is to help enhance the security of the templates system.

Because of these changes, only the following variables should be used:

// Plain variables
{$hello} {$world} {$foo_bar} {$hello->world} {$foo->bar}

 // Array variables
{$hello['world']} {$world['hello']} {$foo['bar']}

 // Variables as array key
{$hello[$world]} {$world[$hello]} {$foo[$bar]}

While you can still enter templates directly into the database with other variables, an error will appear if a template the Administrator is trying to edit contains any other type of variable. They will have to remove it before they are able to save the template.

As well as these changes, the same process applies if you try to use a $config variable.

While Theme Artists may not be affected by these changes, if your theme relies on a plugin you'll need to make sure that the information you use are passed to the templates properly.

For other changes to 1.6.4, please refer to [wiki]1.6.4[/wiki]. If you have any questions, please feel free to ask!

Thanks,

Tomm

Does this mean we can't use variables like $MyBB->user or..?

I checked out from the SVN and I don't know if the devs are aware but a $config variable is used to show the link to the admin panel, which sets off the vulnerability checker.

I don't know if this has been fixed since I checked out (was a few days ago), but a simple fix would be:

$admindir = $config['admin_dir'];

And using {$admindir} in the template instead.

So the old 1.6.x theme will not ever work on 1.6.4 and need to update? wow, I really need to work and memorize the new variable.

@Malcolm, thanks for letting us know!

(2011-07-14, 03:57 AM)Scoutie44 Wrote: [ -> ]Does this mean we can't use variables like $MyBB->user or..?

Yes, you can use those and any existing variables in the templates. I'm trying to highlight the customized ones plugin authors and theme artists might use. I've added your example to the list.

Oh. Is this to fix those really crazy variables that I recall reading from some security report, then?

(2011-07-14, 10:48 PM)Scoutie44 Wrote: [ -> ]Oh. Is this to fix those really crazy variables that I recall reading from some security report, then?

Yeah, in 1.6.3 and below you can do things like these:

{${eval(system('whoami'))}}


{${print($config['database']['password'])}}

Pretty low risk because you need admincp access and template permissions, but if your admin account gets hacked, the hacker could gain access to the whole server.

Okay, thanks for the clarification.

I'm not a developer, so I don't kind of understand.

Do I have to rewrite my theme if my forum is already installed?

Or this is more about plugin side?

(2011-07-14, 10:48 PM)Scoutie44 Wrote: [ -> ]Oh. Is this to fix those really crazy variables that I recall reading from some security report, then?

It's the only security report on Secunia that is still open for MyBB.

@Sama34 - I wouldn't worry about it. Just remember to take a look at your theme's templates when you upgrade because some have changed - but you should be doing this whenever you upgrade anyway!