Selon Bill Clark wclarkxoom@gmail.com:
- Checking the size before inclusion.
I'm coding a patch in this way, which prevents the inclusion of more than MAX_TEMPLATE_INCLUSION_CHAR.
- Limiting the number of inclusions (or at least making it more
difficult by limiting the number of times the same file can be included, thus forcing attackers to create multiple large templates, which is easier to track and/or prevent).
My opinion, is simply to prevent endless recursive templates (by storing the recursion path).
With, what I already code, the template parsing should be faster, and with less painful limitations.
Emmanuel Engelhart