Selon Bill Clark <wclarkxoom(a)gmail.com>om>:
1) Checking the size before inclusion.
I'm coding a patch in this way, which prevents the inclusion of more than
MAX_TEMPLATE_INCLUSION_CHAR.
2) Limiting the number of inclusions (or at least
making it more
difficult by limiting the number of times the same file can be
included, thus forcing attackers to create multiple large templates,
which is easier to track and/or prevent).
My opinion, is simply to prevent endless recursive templates (by storing the
recursion path).
With, what I already code, the template parsing should be faster, and with less
painful limitations.
Emmanuel Engelhart