My proposed fix in the trac ticket is that if there is a fieldList parameter, 'id' has to be in that list otherwise it won't be set.
I think this is really important as a default behaviour for cake. It's rather confusing that you have a whitelist but 'id' gets thru. It's dangerous. Just to make shure you understand what happens: You have an add method in your controller: function add() { $this->Model->create(); $this->Model->save($this->data, true, array('field1,'field2')); } So if someone adds an 'id' field in your add form your add method overwrite existing record, despite you used create() and a whitelist. Don't get me wrong the above sample is just very simplified. Cheers, Timo On 9/4/07, francky06l <[EMAIL PROTECTED]> wrote: > > You could also hash your id in an hidden field, and when receiving the > form, hash again the id and compare with the hidden hashed field. To > trick you would have to find the hash string also ..a bit harder. That > with the Security should cover your needs. > Hope this helps > > On Sep 4, 7:00 pm, "Chris Hartjes" <[EMAIL PROTECTED]> wrote: > > On 9/4/07, J. Eckert <[EMAIL PROTECTED]> wrote: > > > > > > > > > Hi there, > > > > > There seems to be a security issue with the Model->save() function in > > > Cake 1.2 if you are adding data through a form. > > > > I don't know if you already checked it out, but there is a Security > > component that I think might help alleviate some of your fears about > > the exact type of attack you are talking about: > > > > http://manual.cakephp.org/chapter/security > > > > There have also been a few threads on this mailing list about it as > > well, so I also suggest searching those out via the Google Groups > > interface. > > > > Hope that helps. > > > > -- > > Chris Hartjes > > Senior Developer > > Cake Development Corporation > > > > My motto for 2007: "Just build it, damnit!" > > > > @TheBallpark -http://www.littlehart.net/attheballpark > > @TheKeyboard -http://www.littlehart.net/atthekeyboard > > > > > -- Timo Derstappen http://teemow.com mailto:[EMAIL PROTECTED] --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---