Jump to content

PHP Function not allowed by security setting


D9Hosting

Recommended Posts

Since upgrading to v7 none of our invoice related emails will send due to the following:

 

"PHP function 'substr_count' not allowed by security setting"

 

According to the WHMCS docs adding the following code to the configuration.php file should fix this issue:

 

// Smarty custom email based template policy: 
$smarty_security_policy = array( 
  'mail' => array( 
      'php_modifiers' => array( 
          'substr_count', 

      ), 
  ), 
);

 

...but it doesn't! Has anyone got any ideas?

 

FYI, the content of the email template generating these errors is:

 

{if substr_count($client_credit, "GBP")}If you are a UK resident you can pay via Bank Transfer by using the details below:

snip{else}{/if}

Link to comment
Share on other sites

why do you need to count how many times the string occurs ? from that snippet, it looks like you just want to check whether the variable contains "GBP" and if so, do something...

 

{if $client_credit|strstr:'GBP'}If you are a UK resident you can pay via Bank Transfer by using the details below:
snip{else}{/if}

Link to comment
Share on other sites

what a farce v7 is. :mad:

 

ok, it seems that you have to do two things.

 

1. as per the security policy, declare strstr in the configuration file.

 

// Smarty custom email based template policy:
$smarty_security_policy = array(
   'mail' => array(
       'php_functions' => array(
           'strstr',
       ),
   ),
);

 

2. in the email template, I assume you can no longer use the usual Smarty way to use PHP modifiers, you have to code it like the PHP function. :roll:

 

{if strstr($client_credit, "GBP")}If you are a UK resident you can pay via Bank Transfer by using the details below: snip{/if}

tested and working on v7.0.1 :idea:

 

also, it occurs to me that if all you want to do is see if they're a UK resident, you could use the $client_country variable instead.

 

{if $client_country eq "GB"}If you are a UK resident you can pay via Bank Transfer by using the details below: snip{/if}

though I suppose in theory they could be in the UK, but using another currency - so that might not help... at least this method wouldn't require a change to the smarty security policy!

Link to comment
Share on other sites

  • 4 years later...

Apologies for bringing an old thread back from the dead but this issue has reared its ugly head again in version 8.13.

We had an issue with a smarty variable in a custom template file triggering a security policy error so WHMCS Support suggested adding this security policy to our config file:

// Smarty enable special variables policy:
$smarty_security_policy = array(
'system' => array(
'enabled_special_smarty_vars' => array(
'session',
'foreach',
'section',
'block',
'capture',
'now',
'get',
'post',
'server',
'request',
'template',
'const',
'strstr',
),
),
);

This fixed the issue with the template not working but now we are getting a "'strstr' not allowed by security setting" error when trying to send any email that contains this:

{if strstr($client_credit, "GBP")}Blah blah blah{/if}

The original security policy we had in place to allow "strstr" is still there but doesn't work if we also have the new "'system'" security policy in place, it works fine if we remove this leaving just the original security policy but ideally we need both the custom template and the code in the email to work! FYI our full security policy is listed here:

// Smarty custom email based template policy:
$smarty_security_policy = array(
    'mail' => array(
        'php_functions' => array(
            'strstr',
        ),
    ),
); 


// Smarty enable special variables policy:
$smarty_security_policy = array(
'system' => array(
'enabled_special_smarty_vars' => array(
'session',
'foreach',
'section',
'block',
'capture',
'now',
'get',
'post',
'server',
'request',
'template',
'const',
'strstr',
),
),
);


Any ideas how to fix or if not, is there another workaround we could use to display conditional data depending on the currency used by the client?

Edited by D9Hosting
Link to comment
Share on other sites

4 hours ago, D9Hosting said:

We had an issue with a smarty variable in a custom template file triggering a security policy error so WHMCS Support suggested adding this security policy to our config file:

it's not much of a security policy that at the first sign of an issue, Support effectively tells you to completely disable it! 🙄

all you should have needed to do was add the one (or more) specific tags that were causing the issue - not all of them!

4 hours ago, D9Hosting said:

Any ideas how to fix or if not, is there another workaround we could use to display conditional data depending on the currency used by the client?

perhaps if I post an example from one of my devs...

$smarty_security_policy = array(
	'system' => array(
		'enabled_special_smarty_vars' => array(
			'cookies','session','server','this','capture','foreach','get','post',
		),
	),
	'mail' => array(
		'php_modifiers' => array(
			'strstr',
		),
	),
);

it's the way you've arranged the array output in the file that will be confusing - that's not necessarily your fault, I can see that's how it's now shown in the docs. 🙄

Link to comment
Share on other sites

Hi Guys,

Thanks for the responses. Unfortunately the newly formatted code doesn't work either:

$smarty_security_policy = array(
    'system' => array(
        'enabled_special_smarty_vars' => array(
            'session','foreach','section','block','capture','now','get','post','server','request','template','const','strstr','cookies',
        ),
    ),
    'mail' => array(
        'php_modifiers' => array(
            'strstr',
        ),
    ),
);

With the above code the template which uses $smarty.session works fine but the email template containing "strstr" throws up the security policy error as before. If I remove the system security policy leaving just the email policy the emails work fine.

I have a ticket open with WHMCS but don't hold out much hope.

As a workaround and before I spend a morning editing custom email templates, is there perhaps an alternative I can use to "$smarty.session.cart.promo" in /orderforms/configureproduct.tpl to pull the promo code used (if any) by the client? Figure it will be easier to edit that one file rather than a ton of email templates!

Link to comment
Share on other sites

Hi @brian!,

Thanks for the quick reply. Still no luck I'm afraid:

$smarty_security_policy = array(
    'system' => array(
        'enabled_special_smarty_vars' => array(
            'session','foreach','section','block','capture','now','get','post','server','request','template','const','cookies',
        ),
    ),
    'mail' => array(
        'php_modifiers' => array(
            'strstr',
        ),
    ),
);

Generates the following error when sending an email :

PHP function 'strstr' not allowed by security setting

Just going back to what you mentioned last week:

Quote

it's not much of a security policy that at the first sign of an issue, Support effectively tells you to completely disable it! 

This was triggered when I first noticed a security policy error that was being triggered by a custom template using "$smarty.session". To fix this I set a security policy as per the WHMCS docs to allow the session variable. I then noticed a ton more errors when accessing various pages in the admin area relating to WHMCS system variables - server, capture, etc. It was at this point I got in touch with WHMCS and they advised I now needed to add all the variables used by WHMCS to the security policy and not just the variable I wanted to allow.

So it looks like as soon as you create a security policy to enable a certain variable using "enabled_special_smarty_vars" anything that was previously being used when there was no security policy in place needs to be specifically added. WHMCS did say they were working on a more "graceful" way to handle this in the future but I wont hold my breath.


 

Link to comment
Share on other sites

37 minutes ago, D9Hosting said:

Thanks for the quick reply. Still no luck I'm afraid

just to add to the confusion, if I use your settings in my configuration.php file, then using strstr in an email works fine...

I added a line to the invoice created template...

{if $client_first_name|strstr:"Jer"}do something{/if}

and the emails are sending without issue and where relevant, is outputting "do something"... although if I were to try to use strstr as it would be used in php, then it fails... I wouldn't see your error message, i'd get...

Quote

Email Sending Failed - Email message rendered empty - please check the email message Smarty markup syntax

and the activity log would tell me the line of code that it doesn't like.

41 minutes ago, D9Hosting said:

This was triggered when I first noticed a security policy error that was being triggered by a custom template using "$smarty.session". To fix this I set a security policy as per the WHMCS docs to allow the session variable. I then noticed a ton more errors when accessing various pages in the admin area relating to WHMCS system variables - server, capture, etc. It was at this point I got in touch with WHMCS and they advised I now needed to add all the variables used by WHMCS to the security policy and not just the variable I wanted to allow.

it still seems like overkill to add variables that aren't being used... hey ho.

v8.1 is definitely logging and/or generating more errors than previous versions... and there are still plenty of references to Smarty env variables in the templates (both admin and client).

1 hour ago, D9Hosting said:

So it looks like as soon as you create a security policy to enable a certain variable using "enabled_special_smarty_vars" anything that was previously being used when there was no security policy in place needs to be specifically added.

which is why i'd add them one by one and only when necessary...  i'm not even sure bock should be on that list...

1 hour ago, D9Hosting said:

WHMCS did say they were working on a more "graceful" way to handle this in the future but I wont hold my breath.

there is *always* jam tomorrow with WHMCS - i'm glad that i'm not going to be around when that mythical time arrives!

1 hour ago, D9Hosting said:

As a workaround and before I spend a morning editing custom email templates, is there perhaps an alternative I can use to "$smarty.session.cart.promo" in /orderforms/configureproduct.tpl to pull the promo code used (if any) by the client? Figure it will be easier to edit that one file rather than a ton of email templates!

you could use a hook to pull the value from the session array and return it to the template as a "normal" variable.. or maybe even get the hook to do the output of whatever you're doing in the template based on that value.

Link to comment
Share on other sites

Quote

and the emails are sending without issue and where relevant, is outputting "do something"... although if I were to try to use strstr as it would be used in php, then it fails... I wouldn't see your error message, i'd get...

I do actually get the "Email Sending Failed - Email message rendered empty - please check the email message Smarty markup syntax" error message, but the line of code it mentions in the logs is any line that has this in it:

Quote

{if strstr($client_credit, "GBP")}If you are a UK resident you can pay via Bank Transfer by using the details below: snip{/if}

I like the sounds of the hook idea rather than wasting more time on this, I'll send you a PM.

Link to comment
Share on other sites

2 minutes ago, D9Hosting said:

I do actually get the "Email Sending Failed - Email message rendered empty - please check the email message Smarty markup syntax" error message, but the line of code it mentions in the logs is any line that has this in it:

in Smarty, that would be...

{if $client_credit|strstr:"GBP"}If you are a UK resident you can pay via Bank Transfer by using the details below: snip{/if}

... using that format doesn't throw an error for me.

Link to comment
Share on other sites

1 hour ago, brian! said:

... or if you're going to use strstr as a function rather than a modifier, then you declare it as such in the configuration file.


	'mail' => array(
		'php_functions' => array(
			'strstr',
		),
	),

You're too good for this community, problem solved!

Thanks so much for the help, I'll buy you a beer.

Link to comment
Share on other sites

  • 1 year later...
On 19/04/2021 at 2:50 PM, brian! said:

... or if you're going to use strstr as a function rather than a modifier, then you declare it as such in the configuration file.


	'mail' => array(
		'php_functions' => array(
			'strstr',
		),
	),

Thank you! 🙏

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated