Re: Forms security: Not displaying input means it is protected? --zivi-muh
Thanks, guys! On Fri, Nov 26, 2010 at 4:44 PM, euromark wrote: > some additional infos: > http://www.dereuromark.de/2010/10/05/cakephp-security/ > > On 26 Nov., 14:32, odd wrote: >> That's how it is. Personally i'm additionally using the fieldList >> feature (which unfortunately doesn't work well with multiple models >> and saveAll) as a last line of defense in case something goes wrong >> and a modified request slips through. >> >> Regards >> >> Joshua Muheim schrieb: >> >> >> >> >> >> >> >> > Thanks for the hint to the $whitelist, Stephen. But this seems not >> > necessary to me anymore when using the Security component (which I do >> > and I forgot to mention in my first post). Look at this >> > (http://book.cakephp.org/view/175/Security-Component): >> >> > "When using the Security Component you must use the FormHelper to >> > create your forms. The Security Component looks for certain indicators >> > that are created and managed by the FormHelper (especially those >> > created in create() and end()). Dynamically altering the fields that >> > are submitted in a POST request (e.g. disabling, deleting or creating >> > new fields via JavaScript) is likely to trigger a black-holing of the >> > request. See the $validatePost or $disabledFields configuration >> > parameters." >> >> > So if you're using Security component, the end user can't mess with >> > the POST data anymore. :-) >> >> > Any other comment about this, anyone? >> >> > On Fri, Nov 26, 2010 at 12:08 PM, Stephen >> > wrote: >> > > Hi There >> >> > > You should use a whitelist to specify the fields to save, any other >> > > fields >> > > will not be saved. >> >> > > Even if you don't display the field on the page, a user can still create >> > > the >> > > post variable from within their browser and use it to change data they >> > > shouldn't really be allowed to. >> >> > > Hope this helps >> >> > > Stephen >> >> > > On 26 November 2010 10:38, psybear83 wrote: >> >> > >> Hey everybody >> >> > >> In my application, users can edit their email, phone number etc., but >> > >> they are *not* allowed to edit their username - only admins are >> > >> allowed to do that. >> >> > >> So I'm wondering: is it safe to simply not display the username field >> > >> to the user? Afaik CakePHP makes sure that the form hasn't been >> > >> manually edited (e.g. adding a username input field), right? So I >> > >> don't have to double-check on the application's side, e.g. by >> > >> unsetting the $data[User][username] field, as long as I'm only >> > >> displaying form fields using CakePHP's form helper (and not >> > >> "deactivating" them by just hiding them using CSS or so), right? >> >> > >> If so - yeah, sweet! Thanks, CakePHP! :-) >> >> > >> Waiting for your confirmation about this fact, guys... Thanks! >> >> > >> Check out the new CakePHP Questions sitehttp://cakeqs.organd help others >> > >> with their CakePHP related questions. >> >> > >> You received this message because you are subscribed to the Google >> > >> Groups >> > >> "CakePHP" group. >> > >> To post to this group, send email to cake-php@googlegroups.com >> > >> To unsubscribe from this group, send email to >> > >> cake-php+unsubscr...@googlegroups.com For more options, visit this group >> > >> athttp://groups.google.com/group/cake-php?hl=en >> >> > > -- >> > > Kind Regards >> > > Stephen @ NinjaCoderMonkey >> >> > > www.ninjacodermonkey.co.uk >> >> > > Check out the new CakePHP Questions sitehttp://cakeqs.organd help others >> > > with their CakePHP related questions. >> >> > > You received this message because you are subscribed to the Google Groups >> > > "CakePHP" group. >> > > To post to this group, send email to cake-php@googlegroups.com >> > > To unsubscribe from this group, send email to >> > > cake-php+unsubscr...@googlegroups.com For more options, visit this group >> > > at >> > >http://groups.google.com/group/cake-php?hl=en > > Check out the new CakePHP Questions site http://cakeqs.org and help others > with their CakePHP related questions. > > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To post to this group, send email to cake-php@googlegroups.com > To unsubscribe from this group, send email to > cake-php+unsubscr...@googlegroups.com For more options, visit this group at > http://groups.google.com/group/cake-php?hl=en > Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Forms security: Not displaying input means it is protected? --zivi-muh
some additional infos: http://www.dereuromark.de/2010/10/05/cakephp-security/ On 26 Nov., 14:32, odd wrote: > That's how it is. Personally i'm additionally using the fieldList > feature (which unfortunately doesn't work well with multiple models > and saveAll) as a last line of defense in case something goes wrong > and a modified request slips through. > > Regards > > Joshua Muheim schrieb: > > > > > > > > > Thanks for the hint to the $whitelist, Stephen. But this seems not > > necessary to me anymore when using the Security component (which I do > > and I forgot to mention in my first post). Look at this > > (http://book.cakephp.org/view/175/Security-Component): > > > "When using the Security Component you must use the FormHelper to > > create your forms. The Security Component looks for certain indicators > > that are created and managed by the FormHelper (especially those > > created in create() and end()). Dynamically altering the fields that > > are submitted in a POST request (e.g. disabling, deleting or creating > > new fields via JavaScript) is likely to trigger a black-holing of the > > request. See the $validatePost or $disabledFields configuration > > parameters." > > > So if you're using Security component, the end user can't mess with > > the POST data anymore. :-) > > > Any other comment about this, anyone? > > > On Fri, Nov 26, 2010 at 12:08 PM, Stephen > > wrote: > > > Hi There > > > > You should use a whitelist to specify the fields to save, any other fields > > > will not be saved. > > > > Even if you don't display the field on the page, a user can still create > > > the > > > post variable from within their browser and use it to change data they > > > shouldn't really be allowed to. > > > > Hope this helps > > > > Stephen > > > > On 26 November 2010 10:38, psybear83 wrote: > > > >> Hey everybody > > > >> In my application, users can edit their email, phone number etc., but > > >> they are *not* allowed to edit their username - only admins are > > >> allowed to do that. > > > >> So I'm wondering: is it safe to simply not display the username field > > >> to the user? Afaik CakePHP makes sure that the form hasn't been > > >> manually edited (e.g. adding a username input field), right? So I > > >> don't have to double-check on the application's side, e.g. by > > >> unsetting the $data[User][username] field, as long as I'm only > > >> displaying form fields using CakePHP's form helper (and not > > >> "deactivating" them by just hiding them using CSS or so), right? > > > >> If so - yeah, sweet! Thanks, CakePHP! :-) > > > >> Waiting for your confirmation about this fact, guys... Thanks! > > > >> Check out the new CakePHP Questions sitehttp://cakeqs.organd help others > > >> with their CakePHP related questions. > > > >> You received this message because you are subscribed to the Google Groups > > >> "CakePHP" group. > > >> To post to this group, send email to cake-php@googlegroups.com > > >> To unsubscribe from this group, send email to > > >> cake-php+unsubscr...@googlegroups.com For more options, visit this group > > >> athttp://groups.google.com/group/cake-php?hl=en > > > > -- > > > Kind Regards > > > Stephen @ NinjaCoderMonkey > > > > www.ninjacodermonkey.co.uk > > > > Check out the new CakePHP Questions sitehttp://cakeqs.organd help others > > > with their CakePHP related questions. > > > > You received this message because you are subscribed to the Google Groups > > > "CakePHP" group. > > > To post to this group, send email to cake-php@googlegroups.com > > > To unsubscribe from this group, send email to > > > cake-php+unsubscr...@googlegroups.com For more options, visit this group > > > at > > >http://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Forms security: Not displaying input means it is protected? --zivi-muh
That's how it is. Personally i'm additionally using the fieldList feature (which unfortunately doesn't work well with multiple models and saveAll) as a last line of defense in case something goes wrong and a modified request slips through. Regards Joshua Muheim schrieb: > Thanks for the hint to the $whitelist, Stephen. But this seems not > necessary to me anymore when using the Security component (which I do > and I forgot to mention in my first post). Look at this > (http://book.cakephp.org/view/175/Security-Component): > > "When using the Security Component you must use the FormHelper to > create your forms. The Security Component looks for certain indicators > that are created and managed by the FormHelper (especially those > created in create() and end()). Dynamically altering the fields that > are submitted in a POST request (e.g. disabling, deleting or creating > new fields via JavaScript) is likely to trigger a black-holing of the > request. See the $validatePost or $disabledFields configuration > parameters." > > So if you're using Security component, the end user can't mess with > the POST data anymore. :-) > > Any other comment about this, anyone? > > On Fri, Nov 26, 2010 at 12:08 PM, Stephen > wrote: > > Hi There > > > > You should use a whitelist to specify the fields to save, any other fields > > will not be saved. > > > > Even if you don't display the field on the page, a user can still create the > > post variable from within their browser and use it to change data they > > shouldn't really be allowed to. > > > > Hope this helps > > > > Stephen > > > > On 26 November 2010 10:38, psybear83 wrote: > >> > >> Hey everybody > >> > >> In my application, users can edit their email, phone number etc., but > >> they are *not* allowed to edit their username - only admins are > >> allowed to do that. > >> > >> So I'm wondering: is it safe to simply not display the username field > >> to the user? Afaik CakePHP makes sure that the form hasn't been > >> manually edited (e.g. adding a username input field), right? So I > >> don't have to double-check on the application's side, e.g. by > >> unsetting the $data[User][username] field, as long as I'm only > >> displaying form fields using CakePHP's form helper (and not > >> "deactivating" them by just hiding them using CSS or so), right? > >> > >> If so - yeah, sweet! Thanks, CakePHP! :-) > >> > >> Waiting for your confirmation about this fact, guys... Thanks! > >> > >> Check out the new CakePHP Questions site http://cakeqs.org and help others > >> with their CakePHP related questions. > >> > >> You received this message because you are subscribed to the Google Groups > >> "CakePHP" group. > >> To post to this group, send email to cake-php@googlegroups.com > >> To unsubscribe from this group, send email to > >> cake-php+unsubscr...@googlegroups.com For more options, visit this group > >> at http://groups.google.com/group/cake-php?hl=en > > > > > > > > -- > > Kind Regards > > Stephen @ NinjaCoderMonkey > > > > www.ninjacodermonkey.co.uk > > > > > > Check out the new CakePHP Questions site http://cakeqs.org and help others > > with their CakePHP related questions. > > > > You received this message because you are subscribed to the Google Groups > > "CakePHP" group. > > To post to this group, send email to cake-php@googlegroups.com > > To unsubscribe from this group, send email to > > cake-php+unsubscr...@googlegroups.com For more options, visit this group at > > http://groups.google.com/group/cake-php?hl=en > > Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Forms security: Not displaying input means it is protected? --zivi-muh
Ah that would explain it, I did scan your email over 3 times to be sure I wasn't misunderstanding! I haven't used the security component in this way yet so I am afraid I can't be of any further help I will use this component soon however, thanks for reminding me of its existence :) Kind Regards Stephen On 26 November 2010 12:09, Joshua Muheim wrote: > Thanks for the hint to the $whitelist, Stephen. But this seems not > necessary to me anymore when using the Security component (which I do > and I forgot to mention in my first post). Look at this > (http://book.cakephp.org/view/175/Security-Component): > > "When using the Security Component you must use the FormHelper to > create your forms. The Security Component looks for certain indicators > that are created and managed by the FormHelper (especially those > created in create() and end()). Dynamically altering the fields that > are submitted in a POST request (e.g. disabling, deleting or creating > new fields via JavaScript) is likely to trigger a black-holing of the > request. See the $validatePost or $disabledFields configuration > parameters." > > So if you're using Security component, the end user can't mess with > the POST data anymore. :-) > > Any other comment about this, anyone? > > On Fri, Nov 26, 2010 at 12:08 PM, Stephen > wrote: > > Hi There > > > > You should use a whitelist to specify the fields to save, any other > fields > > will not be saved. > > > > Even if you don't display the field on the page, a user can still create > the > > post variable from within their browser and use it to change data they > > shouldn't really be allowed to. > > > > Hope this helps > > > > Stephen > > > > On 26 November 2010 10:38, psybear83 wrote: > >> > >> Hey everybody > >> > >> In my application, users can edit their email, phone number etc., but > >> they are *not* allowed to edit their username - only admins are > >> allowed to do that. > >> > >> So I'm wondering: is it safe to simply not display the username field > >> to the user? Afaik CakePHP makes sure that the form hasn't been > >> manually edited (e.g. adding a username input field), right? So I > >> don't have to double-check on the application's side, e.g. by > >> unsetting the $data[User][username] field, as long as I'm only > >> displaying form fields using CakePHP's form helper (and not > >> "deactivating" them by just hiding them using CSS or so), right? > >> > >> If so - yeah, sweet! Thanks, CakePHP! :-) > >> > >> Waiting for your confirmation about this fact, guys... Thanks! > >> > >> Check out the new CakePHP Questions site http://cakeqs.org and help > others > >> with their CakePHP related questions. > >> > >> You received this message because you are subscribed to the Google > Groups > >> "CakePHP" group. > >> To post to this group, send email to cake-php@googlegroups.com > >> To unsubscribe from this group, send email to > >> cake-php+unsubscr...@googlegroups.comFor > >> more options, visit this group > >> at http://groups.google.com/group/cake-php?hl=en > > > > > > > > -- > > Kind Regards > > Stephen @ NinjaCoderMonkey > > > > www.ninjacodermonkey.co.uk > > > > > > Check out the new CakePHP Questions site http://cakeqs.org and help > others > > with their CakePHP related questions. > > > > You received this message because you are subscribed to the Google Groups > > "CakePHP" group. > > To post to this group, send email to cake-php@googlegroups.com > > To unsubscribe from this group, send email to > > cake-php+unsubscr...@googlegroups.comFor > > more options, visit this group at > > http://groups.google.com/group/cake-php?hl=en > > > > Check out the new CakePHP Questions site http://cakeqs.org and help others > with their CakePHP related questions. > > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To post to this group, send email to cake-php@googlegroups.com > To unsubscribe from this group, send email to > cake-php+unsubscr...@googlegroups.comFor > more options, visit this group at > http://groups.google.com/group/cake-php?hl=en > -- Kind Regards Stephen @ NinjaCoderMonkey www.ninjacodermonkey.co.uk Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Forms security: Not displaying input means it is protected? --zivi-muh
Thanks for the hint to the $whitelist, Stephen. But this seems not necessary to me anymore when using the Security component (which I do and I forgot to mention in my first post). Look at this (http://book.cakephp.org/view/175/Security-Component): "When using the Security Component you must use the FormHelper to create your forms. The Security Component looks for certain indicators that are created and managed by the FormHelper (especially those created in create() and end()). Dynamically altering the fields that are submitted in a POST request (e.g. disabling, deleting or creating new fields via JavaScript) is likely to trigger a black-holing of the request. See the $validatePost or $disabledFields configuration parameters." So if you're using Security component, the end user can't mess with the POST data anymore. :-) Any other comment about this, anyone? On Fri, Nov 26, 2010 at 12:08 PM, Stephen wrote: > Hi There > > You should use a whitelist to specify the fields to save, any other fields > will not be saved. > > Even if you don't display the field on the page, a user can still create the > post variable from within their browser and use it to change data they > shouldn't really be allowed to. > > Hope this helps > > Stephen > > On 26 November 2010 10:38, psybear83 wrote: >> >> Hey everybody >> >> In my application, users can edit their email, phone number etc., but >> they are *not* allowed to edit their username - only admins are >> allowed to do that. >> >> So I'm wondering: is it safe to simply not display the username field >> to the user? Afaik CakePHP makes sure that the form hasn't been >> manually edited (e.g. adding a username input field), right? So I >> don't have to double-check on the application's side, e.g. by >> unsetting the $data[User][username] field, as long as I'm only >> displaying form fields using CakePHP's form helper (and not >> "deactivating" them by just hiding them using CSS or so), right? >> >> If so - yeah, sweet! Thanks, CakePHP! :-) >> >> Waiting for your confirmation about this fact, guys... Thanks! >> >> Check out the new CakePHP Questions site http://cakeqs.org and help others >> with their CakePHP related questions. >> >> You received this message because you are subscribed to the Google Groups >> "CakePHP" group. >> To post to this group, send email to cake-php@googlegroups.com >> To unsubscribe from this group, send email to >> cake-php+unsubscr...@googlegroups.com For more options, visit this group >> at http://groups.google.com/group/cake-php?hl=en > > > > -- > Kind Regards > Stephen @ NinjaCoderMonkey > > www.ninjacodermonkey.co.uk > > > Check out the new CakePHP Questions site http://cakeqs.org and help others > with their CakePHP related questions. > > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To post to this group, send email to cake-php@googlegroups.com > To unsubscribe from this group, send email to > cake-php+unsubscr...@googlegroups.com For more options, visit this group at > http://groups.google.com/group/cake-php?hl=en > Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Forms security: Not displaying input means it is protected? --zivi-muh
Hi There You should use a whitelist to specify the fields to save, any other fields will not be saved. Even if you don't display the field on the page, a user can still create the post variable from within their browser and use it to change data they shouldn't really be allowed to. Hope this helps Stephen On 26 November 2010 10:38, psybear83 wrote: > Hey everybody > > In my application, users can edit their email, phone number etc., but > they are *not* allowed to edit their username - only admins are > allowed to do that. > > So I'm wondering: is it safe to simply not display the username field > to the user? Afaik CakePHP makes sure that the form hasn't been > manually edited (e.g. adding a username input field), right? So I > don't have to double-check on the application's side, e.g. by > unsetting the $data[User][username] field, as long as I'm only > displaying form fields using CakePHP's form helper (and not > "deactivating" them by just hiding them using CSS or so), right? > > If so - yeah, sweet! Thanks, CakePHP! :-) > > Waiting for your confirmation about this fact, guys... Thanks! > > Check out the new CakePHP Questions site http://cakeqs.org and help others > with their CakePHP related questions. > > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To post to this group, send email to cake-php@googlegroups.com > To unsubscribe from this group, send email to > cake-php+unsubscr...@googlegroups.comFor > more options, visit this group at > http://groups.google.com/group/cake-php?hl=en > -- Kind Regards Stephen @ NinjaCoderMonkey www.ninjacodermonkey.co.uk Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Forms security: Not displaying input means it is protected? --zivi-muh
Hey everybody In my application, users can edit their email, phone number etc., but they are *not* allowed to edit their username - only admins are allowed to do that. So I'm wondering: is it safe to simply not display the username field to the user? Afaik CakePHP makes sure that the form hasn't been manually edited (e.g. adding a username input field), right? So I don't have to double-check on the application's side, e.g. by unsetting the $data[User][username] field, as long as I'm only displaying form fields using CakePHP's form helper (and not "deactivating" them by just hiding them using CSS or so), right? If so - yeah, sweet! Thanks, CakePHP! :-) Waiting for your confirmation about this fact, guys... Thanks! Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en