My proposed fix in the trac ticket is that if there is a fieldList
parameter, 'id' has to be in that list otherwise it won't be set.
I think this is really important as a default behaviour for cake. It's
rather confusing that you have a whitelist but 'id' gets thru. It's
dangerous. Just to make shure you understand what happens:
You have an add method in your controller:
function add() {
$this->Model->create();
$this->Model->save($this->data, true, array('field1,'field2'));
}
So if someone adds an 'id' field in your add form your add method
overwrite existing record, despite you used create() and a whitelist.
Don't get me wrong the above sample is just very simplified.
Cheers,
Timo
On 9/4/07, francky06l <[EMAIL PROTECTED]> wrote:
>
> You could also hash your id in an hidden field, and when receiving the
> form, hash again the id and compare with the hidden hashed field. To
> trick you would have to find the hash string also ..a bit harder. That
> with the Security should cover your needs.
> Hope this helps
>
> On Sep 4, 7:00 pm, "Chris Hartjes" <[EMAIL PROTECTED]> wrote:
> > On 9/4/07, J. Eckert <[EMAIL PROTECTED]> wrote:
> >
> >
> >
> > > Hi there,
> >
> > > There seems to be a security issue with the Model->save() function in
> > > Cake 1.2 if you are adding data through a form.
> >
> > I don't know if you already checked it out, but there is a Security
> > component that I think might help alleviate some of your fears about
> > the exact type of attack you are talking about:
> >
> > http://manual.cakephp.org/chapter/security
> >
> > There have also been a few threads on this mailing list about it as
> > well, so I also suggest searching those out via the Google Groups
> > interface.
> >
> > Hope that helps.
> >
> > --
> > Chris Hartjes
> > Senior Developer
> > Cake Development Corporation
> >
> > My motto for 2007: "Just build it, damnit!"
> >
> > @TheBallpark -http://www.littlehart.net/attheballpark
> > @TheKeyboard -http://www.littlehart.net/atthekeyboard
>
>
> >
>
--
Timo Derstappen
http://teemow.com
mailto:[EMAIL PROTECTED]
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
