how would you handle it? or do you just let php throw errors and notices here for your log files?
Am Montag, 10. Dezember 2012 16:26:16 UTC+1 schrieb euromark:
By accident and looking at the error logs I found something that concerns me.Currently sth like this is used by probably most of us:if (!empty($this->request->params['named']['sort'])) { $sort = strtolower($this->request->params['named']['sort']); // we expect a string in 99% of all cases // do sth with it}But if you generate urls like `.../sort:created/sort:foo/sort:bar/...` you can easily break the logic here. So, if someone wants to hurt you he could just try to do that will all your pages where you except named (or query) strings andon such a big scale that your error logs fill up in the MB range in the hope to fill the hard disk. should we have any concerns here?Shouldn't we whitelist the named/query params that can/will be arrays? like $this->request->exceptAsArray('sort') etc? Or always use this (I found at least 400 places in my code where this array trick would result in lots of broken code by the way):if (!empty($this->request->params['named']['sort'])) { if (is_array($this->request->params['named']['sort'])) { $this->request->params['named']['sort'] = array_shift($this->request-> params['named']['sort']); }$sort = strtolower($this->request->params['named']['sort']); //do sth with it}Adding some whitelisting would be cleaner here IMO.
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com.
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en.
No comments:
Post a Comment