This chapter documents primarily backwards compatibility breaks made in Zend_View, and should serve to aid in migration from previous versions.
Prior to the 1.7.5 release, the Zend Framework team was notified of
a potential Local File Inclusion (LFI) vulnerability in the
Zend_View::render() method. Prior to 1.7.5, the method
allowed, by default, the ability to specify view scripts that
included parent directory notation (e.g., "../" or "..\"). This
opens the possibility for an LFI attack if unfiltered user input is
passed to the render() method:
// Where $_GET['foobar'] = '../../../../etc/passwd' echo $view->render($_GET['foobar']); // LFI inclusion
Zend_View now by default raises an exception when such
a view script is requested.
Since a number of developers reported that they were using such
notation within their applications that was not
the result of user input, a special flag was created to allow
disabling the default protection. You have two methods for doing so:
by passing the 'lfiProtectionOn' key to the constructor options, or
by explicitly calling the setLfiProtection() method.
// Disabling via constructor
$view = new Zend_View(array('lfiProtectionOn' => false));
// Disabling via exlicit method call:
$view = new Zend_View();
$view->setLfiProtection(false);