Wednesday, March 7, 2012

Re: "Mass Assignment Vulnerability" - protection in Cake

Yeah, I'm on Cake 2.1, so I will have to test it thoroughly for sure.

Thanks!


On Wed, Mar 7, 2012 at 4:07 PM, jeremyharris <funeralmoss@gmail.com> wrote:
Enabling the Security component should be the first thing you do. You are immediately protected against form tampering.

Something to note on enabling it on an existing app: test it thoroughly! Checkboxes with no hiddenField will blackhole (at least in 1.3) comes to mind.

On Wednesday, March 7, 2012 7:59:39 AM UTC-8, nabeel wrote:
I figured, so using SecurityComponent will protect against this.
I have to re-visit that component, I was having some issues on forms when they came from a redirect (ie, external auth)

Thanks

On Tuesday, March 6, 2012 5:01:38 PM UTC-5, PhpNut - Larry E. Masters wrote:

Hi all,

I'm sure we've all heard about what happened with RoR and Github just
recently -

https://github.com/rails/rails/issues/5228
http://arstechnica.com/business/news/2012/03/hacker-commandeers-github-to-prove-vuln-in-ruby.ars

So I can see how this could possibly be done in Cake as well (haven't
tried), but just adding a hidden field to the form with the values.

So - what's the best way (in Cake) to protect against this? Is it
setting the allowed fields in the $this->Model->save() call? Is the a
better way?


CakePHP has protected against this for years. Follow conventions, use the Security Component and Form Helper.

$components = array('Security');


--
Larry E. Masters
 

--
Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions.
 
 
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php

--
Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions.
 
 
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)