Not a developer? Go to MovableType.com

Documentation

Movable Type 5.13, 5.07, and 4.38 patch to fix the plugin template load error

This version of Movable Type was released February 21, 2012.

Note : This patch was updated on the 5th of March, 2012 after the initial release on the 1st of March. If you still see the “Template load error” after applying the initial patch, please download again and re-apply the patch.

Thanks to the community feedback, we found an issue in Movable Type 5.13, 5.07, and 4.38 Security Updates and created a patch to resolve it. Due to the more strict policy in 5.13, 5.07 and 4.38, some plugins produce the “Template load error”. There are two ways to resolve this error:

  1. Fix your plugin to meet the security policy in 5.13 / 5.07 / 4.38.
  2. Apply the patch and enable AllowFileInclude configuration directive to moderate the strict security policy.

It is recommended to (1) fix the plugin because AllowFileInclude weakens the protection against malicious plugins and templates. Please do not forget to disable AllowFileInclude directive once you update your plugin to the fixed version.

If you are not seeing this “Template load error” after your upgrade, you don’t need to apply this patch. This patch will be included in the next release of Movable Type.

Versions affected

<ul class="bulletPoint">
  <li>Movable Type Open Source 4.38 / 5.07 / 5.13</li>
  <li>Movable Type  4.38 / 5.07 / 5.13 <span class="memo">(with Professional Pack, and Community Pack)</span></li>
  <li>Movable Type Advanced 5.07 / 5.13</li>      
  <li>Movable Type Enterprise 4.38</li>
</ul>

How to apply the patch

Movable Type component Template.pm has to be patched.

Download

<p>Please download the patched <strong>Template.pm</strong> from the following links. Choose the file for the version of your Movable Type.</p>

<ul>
  <li>For Movable Type 5.13, download <a href="http://www.movabletype.org/patches/MT-5.13-Template.Patch.zip">MT-5.13-Template.Patch.zip</a>.</li>
  <li>For Movable Type 5.07, download <a href="http://www.movabletype.org/patches/MT-5.07-Template.Patch.zip">MT-5.07-Template.Patch.zip</a>.</li>
  <li>For Movable Type 4.38, download <a href="http://www.movabletype.org/patches/MT-4.38-Template.Patch.zip">MT-4.38-Template.Patch.zip</a></li>
</ul>

Apply the patch

<p>The targeted file that you're going to replace is in the following directory of your Movable Type installation.</p>

<pre class="prettyprint"><code class="language-bsh">lib/MT/Template.pm</code></pre>

<p>First, create a backup of that file by either renaming it to be Template.pm.bak or copying its original into your home directory for safe keeping.</p>
<p>Unzip the patch file, and upload the <strong>Template.pm</strong> to the <strong>lib/MT</strong> directory to replace the original.</p>

Configure AllowFileInclude

<p><a href="http://www.movabletype.jp/documentation/appendices/config-directives/allowfileinclude.html">AllowFileInclude</a> configuration directive was introduced in Movable Type 5.13, 5.07, and 4.38. If you set this directive in your mt-config.cgi, it will enable <a href="http://www.movabletype.org/documentation/appendices/tags/include.html#file">mt:Include file="XXX" attribute</a> which was disabled as a default. The patch above adds one more function to this configuration directive. It will moderate the strict security policy when a plugin loads or includes a custom template. Please add the following directive to mt-config.cgi to enable this configuration directive.</p>

<pre class="prettyprint"><code class="language-bsh">AllowFileInclude 1
</code></pre>

Confirm the fix

<p>Confirm that the "<strong>Template load error</strong>" error has been addressed; otherwise, revert the backup file.</p>

How to fix your plugin

There are two reasons why your plugin produces “Template load error” with Movable Type 5.13, 5.07, and 4.38. Please check your plugin’s source code, and apply the following fixes.

load_tmpl function

<p>You should not use the Movable Type instance to load a template in your plugin. For example, the following snippet of code <strong>does not</strong> work with MT 5.13, 5.07, and 4.38.</p>

<pre class="prettyprint"><code class="language-perl">my $plugin = MT-&gt;component(PLUGIN_ID);

my $app = MT->instance; my $tmplfile = File::Spec->catdir( $plugin->{fullpath}, ‘tmpl’, ‘template.tmpl’ ); my $tmpl = $app->loadtmpl( $tmplfile );

<p>Instead, you should use the plugin component to load a template. The code above should be replaced by the following code.</p>

<pre class="prettyprint"><code class="language-perl">my $plugin = MT-&gt;component(PLUGIN_ID);

my $tmpl = $plugin->load_tmpl( ‘template.tmpl’ );

load_tmpl from the parent directory (added on the 5th of March)

<p>"Template load error" also occurs when you specify the parent directory (<strong>../</strong>) to the load_tmpl() function. To avoid this issue, please apply the updated patch and enable <a href="http://www.movabletype.org/documentation/appendices/config-directives/allowfileinclude.html">AllowFileInclude</a> attribute.</p>

mt:Include in the admin screen

<p>When you create a mt:Include element to transform the admin screen, you need to specify the component attribute with Movable Type 5.13, 5.07,and 4.38. For example, the following snippet of code <strong>does produce "Template load error"</strong>.</p>

<pre class="prettyprint"><code class="language-perl">my $inc = $tmpl-&gt;createElement(

‘include’, { name => ‘template.tmpl’ } ); $tmpl->insertBefore( $include, $placeholder );

<p>The code above should be replaced by the following code.</p>

<pre class="prettyprint"><code class="language-perl">my $inc = $tmpl-&gt;createElement(

‘include’, { name => ‘template.tmpl’, component => PLUGIN_ID, } ); $tmpl->insertBefore( $include, $placeholder );

Back

Leave a Comment