Hello Graham,
Thanks a lot for your kind answer, i was pretty sure that in no way there
are any globals are being passed to extract inside Cake's core, i just
wanted to make sure of that in order to show it to my "paranoid" client!
Thanks again.
Cheers,
Ma'moon
On Mon, Jul 19, 2010 at 2:30 AM, s
Hi,
I need an example that demonstrates the security risk in a CakePHP
application depends on extract!!!
On Jul 19, 1:40 am, Graham Weldon wrote:
> Extract is only ever used on settings and the like.
> While we do a lot to ensure the security and safety of the framework,
> we do not provide secur
Extract is only ever used on settings and the like.
While we do a lot to ensure the security and safety of the framework,
we do not provide security for developers passing in globals and
exposing potential security risks or issues.
The core at no point will extract and override a global like $_FIL
Dear CakePHP core developers,
I have noticed that the "extract" function is being used in so many places
all over the core files "more than 100", and as you know, the extract
function is very dangerous to use according to the warning being mentioned
in the documentation page @ php.net/extract , kin