Zend_View_Abstract

Migrating from Previous Versions

This chapter documents primarily backwards compatibility breaks made in Zend_View, and should serve to aid in migration from previous versions.

Migrating from versions prior to 1.7.5

Prior to the 1.7.5 release, the Zend Framework team was notified of a potential Local File Inclusion (LFI) vulnerability in the Zend_View::render() method. Prior to 1.7.5, the method allowed, by default, the ability to specify view scripts that included parent directory notation (e.g., "../" or "..\"). This opens the possibility for an LFI attack if unfiltered user input is passed to the render() method:

  1. // Where $_GET['foobar'] = '../../../../etc/passwd'
  2. echo $view->render($_GET['foobar']); // LFI inclusion

Zend_View now by default raises an exception when such a view script is requested.

Disabling LFI protection for the render() method

Since a number of developers reported that they were using such notation within their applications that was not the result of user input, a special flag was created to allow disabling the default protection. You have two methods for doing so: by passing the 'lfiProtectionOn' key to the constructor options, or by explicitly calling the setLfiProtection() method.

  1. // Disabling via constructor
  2. $view = new Zend_View(array('lfiProtectionOn' => false));
  3.  
  4. // Disabling via exlicit method call:
  5. $view = new Zend_View();
  6. $view->setLfiProtection(false);

Zend_View_Abstract