Re: CakePHP 2.0 meioupload

2011-10-27 Thread jdbartlett 
By the time CakePHP 2.0 went stable, there had been a few other
changes that can cause conflicts with MeioUpload. Here's a Cake2-ready
fork of MeioUpload 2.2:

https://github.com/jdbartlett/MeioUpload

I've also filed a pull request with jrbasso's repo, so check there
first if you've stumbled across this post several months/years in the
future via Google (assuming the zombies haven't devoured us all).

On Oct 26, 10:20 am, zuha  wrote:
> Actually I think the preferred way if I'm not mistaken is...
>
> App::uses('File', 'Utility');
> App::uses('Folder', 'Utility');

-- 
Our newest site for the community: CakePHP Video Tutorials 
http://tv.cakephp.org 
Check out the new CakePHP Questions site http://ask.cakephp.org and help others 
with their CakePHP related questions.


To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at 
http://groups.google.com/group/cake-php

Re: SecurityComponent Logs

2010-07-16 Thread jdbartlett 
I've been thinking about this a little more and agree that this should
probably be a separate plugin rather than a patch for the current
SecurityComponent.

The more I think about it, tokenizing basically serves to prevent
record hijacking (overtyping a primary or foreign key or other hidden
field in a form) and field insertion (adding extra fields to the
form). But most modern web apps expose CRUD methods in a JSON REST API
for use with Ajax, where form field hashes don't (or shouldn't) apply.

In the threads I've seen on the subject, it's recommended to disable
SecurityComponent's POST validation for Ajax requests to avoid black
boxes. This exposes the REST API to CSRF attacks. Even when CSRF
protection is restored (by checking that Ajax requests include header
information, appended to the XHR by JavaScript--non-exotic CSRF attack
sites can't do this), record hijacking and field insertion must be
coded for manually. Effectively, as far as such applications are
concerned, field hashing may as well not exist at all.

Perhaps it would be better to produce a plugin that recommends use of
fieldLists in save() calls and record ownership verification, instead
of relying on field hashing. For CSRF protection, it could use session-
specific tokens appended as hidden fields in forms and as HTTP Request
Headers in Ajax requests.

Does anyone think I've overlooked something with this concept? It's
quite an extension of my original goal!

Thanks.

On Jul 16, 9:00 am, cricket  wrote:
> On Fri, Jul 16, 2010 at 9:30 AM, jdbartlett  wrote:
> > SecurityComponent is good for protecting against CSRF attacks, but
> > when I encounter a black hole while debugging an app, I want to know
> > why. When SecurityComponent black holes a request, it's only capable
> > of telling you one thing: you sent a bad request. That's good for
> > production--you want attackers to have as little information as
> > possible--but it's frustrating for developers who are debugging their
> > code.
>
> > I think it would be helpful if there were an option to have
> > SecurityComponent and FormHelper log the unserialized field lists they
> > use to produce token hashes.
>
> > My idea is to create a security.log in tmp/logs with entries like:
> > * [Time and Request URI] - Form field hash [hash] based on [field
> > list]
> > * [Time and Request URI] - Request field hash [hash] based on [field
> > list]
> > * [Time and Request URI] - Request field hash [hash] does not match
> > Form field hash [hash]
>
> > Because it's intended for debugging specific black holes, I think such
> > logging should be a discrete configuration option for
> > SecurityComponent. Developers would enable it only when they need to
> > work out why a specific request is being black holed.
>
> > Does anyone else think this would be helpful? Are there good reasons
> > to avoid such an approach? I've hacked my own SecurityComponent and
> > FormHelper forks to do this, but wanted the community's opinion on the
> > idea before cleaning it up and submitting a patch/pull request.
>
> One vote from me. That seems worthwhile. Perhaps a good approach would
> be to create a plugin.

Check out the new CakePHP Questions site http://cakeqs.org and help others with 
their CakePHP related questions.

You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en

Re: SecurityComponent Logs

2010-07-16 Thread jdbartlett 
Unless you specify a callback action, SecurityComponent's black holes
are always HTTP 404 responses with no body content. Currently,
SecurityComponent is designed not to give any information about why
it's black holing a response.

On Jul 16, 1:24 pm, euromark  wrote:
> are those black holes 404s? or what error code is thrown?
>
> On 16 Jul., 16:00, cricket  wrote:
>
>
>
> > On Fri, Jul 16, 2010 at 9:30 AM, jdbartlett  wrote:
> > > SecurityComponent is good for protecting against CSRF attacks, but
> > > when I encounter a black hole while debugging an app, I want to know
> > > why. When SecurityComponent black holes a request, it's only capable
> > > of telling you one thing: you sent a bad request. That's good for
> > > production--you want attackers to have as little information as
> > > possible--but it's frustrating for developers who are debugging their
> > > code.
>
> > > I think it would be helpful if there were an option to have
> > > SecurityComponent and FormHelper log the unserialized field lists they
> > > use to produce token hashes.
>
> > > My idea is to create a security.log in tmp/logs with entries like:
> > > * [Time and Request URI] - Form field hash [hash] based on [field
> > > list]
> > > * [Time and Request URI] - Request field hash [hash] based on [field
> > > list]
> > > * [Time and Request URI] - Request field hash [hash] does not match
> > > Form field hash [hash]
>
> > > Because it's intended for debugging specific black holes, I think such
> > > logging should be a discrete configuration option for
> > > SecurityComponent. Developers would enable it only when they need to
> > > work out why a specific request is being black holed.
>
> > > Does anyone else think this would be helpful? Are there good reasons
> > > to avoid such an approach? I've hacked my own SecurityComponent and
> > > FormHelper forks to do this, but wanted the community's opinion on the
> > > idea before cleaning it up and submitting a patch/pull request.
>
> > One vote from me. That seems worthwhile. Perhaps a good approach would
> > be to create a plugin.

Check out the new CakePHP Questions site http://cakeqs.org and help others with 
their CakePHP related questions.

You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en

SecurityComponent Logs

2010-07-16 Thread jdbartlett 
SecurityComponent is good for protecting against CSRF attacks, but
when I encounter a black hole while debugging an app, I want to know
why. When SecurityComponent black holes a request, it's only capable
of telling you one thing: you sent a bad request. That's good for
production--you want attackers to have as little information as
possible--but it's frustrating for developers who are debugging their
code.

I think it would be helpful if there were an option to have
SecurityComponent and FormHelper log the unserialized field lists they
use to produce token hashes.

My idea is to create a security.log in tmp/logs with entries like:
* [Time and Request URI] - Form field hash [hash] based on [field
list]
* [Time and Request URI] - Request field hash [hash] based on [field
list]
* [Time and Request URI] - Request field hash [hash] does not match
Form field hash [hash]

Because it's intended for debugging specific black holes, I think such
logging should be a discrete configuration option for
SecurityComponent. Developers would enable it only when they need to
work out why a specific request is being black holed.

Does anyone else think this would be helpful? Are there good reasons
to avoid such an approach? I've hacked my own SecurityComponent and
FormHelper forks to do this, but wanted the community's opinion on the
idea before cleaning it up and submitting a patch/pull request.

Check out the new CakePHP Questions site http://cakeqs.org and help others with 
their CakePHP related questions.

You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en