Loading...
 
Skip to main content

History: Risky Preferences

Preview of version: 6

Risky preferences

Introduced in Tiki22


Some of Tiki's preferences are quite powerful (and thus dangerous) and should be used only by experts.

These risky preferences are disabled and hidden by default, since Tiki 22. This addresses CVE-2020-29254
Only the system administrator can make them visible through Tiki's system configuration file.

These are the preferences marked as risky:

  • feature_editcss
  • feature_edit_templates
  • feature_purifier
  • smarty_security_functions
  • smarty_security_modifiers
  • smarty_security_dirs
  • tiki_allow_trust_input

Enable/Show risky preferences


First, in order to enable these features first is needed to activate the system configuration.
If you don’t have one, you will need to declare the path of the tiki.ini file where rules can be stored.

Sample configuration file placed in db/local.php, with a relative path
Copy to clipboard
$system_configuration_file = 'db/tiki.ini';


In your configuration file, add new rules to Tiki's configuration file that allows showing these features.

See the following example:

System configuration file sample(db/tiki.ini) that enable to show "smarty_security_functions" preference
Copy to clipboard
rules.0 = show smarty_security_functions

History

Advanced
Information Version
Jonny Bradley 8
Bernard Sfez / Tiki Specialist Setting the summary bloc 7
Marc Laporte 6
Bernard Sfez / Tiki Specialist Adding explanations and sample code 5
Marc Laporte 4
Marc Laporte 3
Marc Laporte 2
Jorge Sá Pereira 1