Friday, November 26, 2010

Re: Forms security: Not displaying input means it is protected? --zivi-muh

That's how it is. Personally i'm additionally using the fieldList
feature (which unfortunately doesn't work well with multiple models
and saveAll) as a last line of defense in case something goes wrong
and a modified request slips through.

Regards


Joshua Muheim schrieb:
> Thanks for the hint to the $whitelist, Stephen. But this seems not
> necessary to me anymore when using the Security component (which I do
> and I forgot to mention in my first post). Look at this
> (http://book.cakephp.org/view/175/Security-Component):
>
> "When using the Security Component you must use the FormHelper to
> create your forms. The Security Component looks for certain indicators
> that are created and managed by the FormHelper (especially those
> created in create() and end()). Dynamically altering the fields that
> are submitted in a POST request (e.g. disabling, deleting or creating
> new fields via JavaScript) is likely to trigger a black-holing of the
> request. See the $validatePost or $disabledFields configuration
> parameters."
>
> So if you're using Security component, the end user can't mess with
> the POST data anymore. :-)
>
> Any other comment about this, anyone?
>
> On Fri, Nov 26, 2010 at 12:08 PM, Stephen
> <stephen@ninjacodermonkey.co.uk> wrote:
> > Hi There
> >
> > You should use a whitelist to specify the fields to save, any other fields
> > will not be saved.
> >
> > Even if you don't display the field on the page, a user can still create the
> > post variable from within their browser and use it to change data they
> > shouldn't really be allowed to.
> >
> > Hope this helps
> >
> > Stephen
> >
> > On 26 November 2010 10:38, psybear83 <psybear83@gmail.com> wrote:
> >>
> >> Hey everybody
> >>
> >> In my application, users can edit their email, phone number etc., but
> >> they are *not* allowed to edit their username - only admins are
> >> allowed to do that.
> >>
> >> So I'm wondering: is it safe to simply not display the username field
> >> to the user? Afaik CakePHP makes sure that the form hasn't been
> >> manually edited (e.g. adding a username input field), right? So I
> >> don't have to double-check on the application's side, e.g. by
> >> unsetting the $data[User][username] field, as long as I'm only
> >> displaying form fields using CakePHP's form helper (and not
> >> "deactivating" them by just hiding them using CSS or so), right?
> >>
> >> If so - yeah, sweet! Thanks, CakePHP! :-)
> >>
> >> Waiting for your confirmation about this fact, guys... Thanks!
> >>
> >> Check out the new CakePHP Questions site http://cakeqs.org and help others
> >> with their CakePHP related questions.
> >>
> >> You received this message because you are subscribed to the Google Groups
> >> "CakePHP" group.
> >> To post to this group, send email to cake-php@googlegroups.com
> >> To unsubscribe from this group, send email to
> >> cake-php+unsubscribe@googlegroups.com For more options, visit this group
> >> at http://groups.google.com/group/cake-php?hl=en
> >
> >
> >
> > --
> > Kind Regards
> >  Stephen @ NinjaCoderMonkey
> >
> >  www.ninjacodermonkey.co.uk
> >
> >
> > Check out the new CakePHP Questions site http://cakeqs.org and help others
> > with their CakePHP related questions.
> >
> > You received this message because you are subscribed to the Google Groups
> > "CakePHP" group.
> > To post to this group, send email to cake-php@googlegroups.com
> > To unsubscribe from this group, send email to
> > cake-php+unsubscribe@googlegroups.com For more options, visit this group at
> > http://groups.google.com/group/cake-php?hl=en
> >

Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.

You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en

No comments: