Re: Security Component is Ruining my Life
On Mon, Oct 27, 2014 at 10:38 PM, Florian Krämer wrote: > I've turned the idea into an implementation. Proof of concept goes here: > https://github.com/burzum/cakephp/commit/9d8f6b4cb7653dd14130af68dbc632e9055d8d76 > > Cool! I will try this out... Tarique -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
I've turned the idea into an implementation. Proof of concept goes here: https://github.com/burzum/cakephp/commit/9d8f6b4cb7653dd14130af68dbc632e9055d8d76 This will output the dirty fields as a list below the error message. I hope this is going to make it into the core. :) On Sunday, October 19, 2014 12:26:44 AM UTC+2, glk wrote: > > Florian... What a wonderful idea. > > Just wish I understood all of Cake well enough to help implement. I've > fought with the Security Component many times and, although I've never > lost, it has created many headaches. Hope the Development team can add > this functionality during debugging. > > -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
Florian... What a wonderful idea. Just wish I understood all of Cake well enough to help implement. I've fought with the Security Component many times and, although I've never lost, it has created many headaches. Hope the Development team can add this functionality during debugging. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
Mark wouldn't it be possible to keep track of these changes somehow via
debug kit? Save the original keys to session and then do the same
comparison with the data that the security component does but without the
hashing but an array diff instead?
On Friday, September 12, 2014 4:32:32 AM UTC+2, mark_story wrote:
>
> One of the issues with the field hashing is that SecurityComponent doesn't
> know what is wrong either. It just knows that the hash of the data does not
> match what was generated in the past.
>
> -Mark
>
> On Monday, 8 September 2014 21:47:05 UTC-4, #2Will wrote:
>>
>> I've got an app i have been maintaining for a while now. The security
>> component causes more headaches than anything else. In fact, because
>> cakephp is so nice to work with, i think Security Component (SC) causes all
>> the headaches...
>>
>> I've read through the docs a fair bit, i have bits of code scattered
>> around turning off the SC all over the place, which makes me feel sick from
>> 2 points of view:
>>
>> 1. What a mess
>> 2. No SC == not great security.
>>
>>
>> One issue is it doesn't seem to give back enough detail on EXACTLY what
>> went wrong.
>>
>> This morning a form that has no JS has decided to blackhole even though
>> i'm applying the following fugly hack to ask it to leave me alone
>>
>>
>> $this->Security->allowedControllers = array("people");
>> if ( in_array($this->action, array('edit' , 'simport'))){
>> $this->Security->validatePost = false;
>> }
>>
>>
>> I email myself every time these occur. With "details" of the error.
>> Which more or less amount to $type = "auth" - which according to the docs
>> means:
>>
>> "Indicates a form validation error, or a controller/action mismatch
>> error."
>>
>> well, i / JS hasn't messed with the form (that's what form validation is
>> about right?) and that is being disabled anyway, and it's showing the form
>> in the action simport and posting to that action, all in the same
>> controller.
>>
>> adding this deeply depressing line of code makes my basic form work:
>> $this->Components->unload('Security');
>>
>> How can I get much better details of the error? How can I work with SC in
>> a better way so it is generally on, not disabled around the site for
>> assorted poorly understood reasons..?
>>
>> W
>>
>>
--
This email may contain material that is confidential, privileged and/or
work product for the sole use of the intended recipient. Any review,
reliance or distribution by others or forwarding without express permission
is strictly prohibited. If you are not the intended recipient, please
contact the sender and delete all copies.
Cake Development Corporation.
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
oh, ok. fair enough if it doesn't know it can't tell me.
On 12 September 2014 12:32, mark_story wrote:
> One of the issues with the field hashing is that SecurityComponent doesn't
> know what is wrong either. It just knows that the hash of the data does not
> match what was generated in the past.
>
> -Mark
>
>
> On Monday, 8 September 2014 21:47:05 UTC-4, #2Will wrote:
>>
>> I've got an app i have been maintaining for a while now. The security
>> component causes more headaches than anything else. In fact, because
>> cakephp is so nice to work with, i think Security Component (SC) causes all
>> the headaches...
>>
>> I've read through the docs a fair bit, i have bits of code scattered
>> around turning off the SC all over the place, which makes me feel sick from
>> 2 points of view:
>>
>> 1. What a mess
>> 2. No SC == not great security.
>>
>>
>> One issue is it doesn't seem to give back enough detail on EXACTLY what
>> went wrong.
>>
>> This morning a form that has no JS has decided to blackhole even though
>> i'm applying the following fugly hack to ask it to leave me alone
>>
>>
>> $this->Security->allowedControllers = array("people");
>> if ( in_array($this->action, array('edit' , 'simport'))){
>> $this->Security->validatePost = false;
>> }
>>
>>
>> I email myself every time these occur. With "details" of the error.
>> Which more or less amount to $type = "auth" - which according to the docs
>> means:
>>
>> "Indicates a form validation error, or a controller/action mismatch
>> error."
>>
>> well, i / JS hasn't messed with the form (that's what form validation is
>> about right?) and that is being disabled anyway, and it's showing the form
>> in the action simport and posting to that action, all in the same
>> controller.
>>
>> adding this deeply depressing line of code makes my basic form work:
>> $this->Components->unload('Security');
>>
>> How can I get much better details of the error? How can I work with SC in
>> a better way so it is generally on, not disabled around the site for
>> assorted poorly understood reasons..?
>>
>> W
>>
>> --
> Like Us on FaceBook https://www.facebook.com/CakePHP
> Find us on Twitter http://twitter.com/CakePHP
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "CakePHP" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/cake-php/xCYXAwaj-XI/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> cake-php+unsubscr...@googlegroups.com.
> To post to this group, send email to cake-php@googlegroups.com.
> Visit this group at http://groups.google.com/group/cake-php.
> For more options, visit https://groups.google.com/d/optout.
>
--
Will Barker
0424 366 468
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
One of the issues with the field hashing is that SecurityComponent doesn't
know what is wrong either. It just knows that the hash of the data does not
match what was generated in the past.
-Mark
On Monday, 8 September 2014 21:47:05 UTC-4, #2Will wrote:
>
> I've got an app i have been maintaining for a while now. The security
> component causes more headaches than anything else. In fact, because
> cakephp is so nice to work with, i think Security Component (SC) causes all
> the headaches...
>
> I've read through the docs a fair bit, i have bits of code scattered
> around turning off the SC all over the place, which makes me feel sick from
> 2 points of view:
>
> 1. What a mess
> 2. No SC == not great security.
>
>
> One issue is it doesn't seem to give back enough detail on EXACTLY what
> went wrong.
>
> This morning a form that has no JS has decided to blackhole even though
> i'm applying the following fugly hack to ask it to leave me alone
>
>
> $this->Security->allowedControllers = array("people");
> if ( in_array($this->action, array('edit' , 'simport'))){
> $this->Security->validatePost = false;
> }
>
>
> I email myself every time these occur. With "details" of the error.
> Which more or less amount to $type = "auth" - which according to the docs
> means:
>
> "Indicates a form validation error, or a controller/action mismatch error."
>
> well, i / JS hasn't messed with the form (that's what form validation is
> about right?) and that is being disabled anyway, and it's showing the form
> in the action simport and posting to that action, all in the same
> controller.
>
> adding this deeply depressing line of code makes my basic form work:
> $this->Components->unload('Security');
>
> How can I get much better details of the error? How can I work with SC in
> a better way so it is generally on, not disabled around the site for
> assorted poorly understood reasons..?
>
> W
>
>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
I think my hacks to avoid black holes is a mess. I'm sure the component is
ace.
It does however give off a lot of false positives and looking round the
web, not just for me. With that in mind, it would be awesome if it was
more expressive about what triggered it.
Also, it's awkward having it and then not using it. Once the site gets
hacked, ill have to stand at the front and tell all the others why i didn't
use the security component.
I do a lot of other stuff to white list fields etc to mitigate this (and
the site gets penetration tested and hasn't been completely owned yet) so
there is some effort going into doing it properly.
W
On Tuesday, 9 September 2014 18:23:39 UTC+10, José Lorenzo wrote:
>
> Don't use it if you think it is a mess and not real security.
>
> You can implement secure forms yourself by using field whitelists and a
> csrf token. I rarely use this component and I manage with those pretty fine
>
> On Tuesday, September 9, 2014 3:47:05 AM UTC+2, #2Will wrote:
>>
>> I've got an app i have been maintaining for a while now. The security
>> component causes more headaches than anything else. In fact, because
>> cakephp is so nice to work with, i think Security Component (SC) causes all
>> the headaches...
>>
>> I've read through the docs a fair bit, i have bits of code scattered
>> around turning off the SC all over the place, which makes me feel sick from
>> 2 points of view:
>>
>> 1. What a mess
>> 2. No SC == not great security.
>>
>>
>> One issue is it doesn't seem to give back enough detail on EXACTLY what
>> went wrong.
>>
>> This morning a form that has no JS has decided to blackhole even though
>> i'm applying the following fugly hack to ask it to leave me alone
>>
>>
>> $this->Security->allowedControllers = array("people");
>> if ( in_array($this->action, array('edit' , 'simport'))){
>> $this->Security->validatePost = false;
>> }
>>
>>
>> I email myself every time these occur. With "details" of the error.
>> Which more or less amount to $type = "auth" - which according to the docs
>> means:
>>
>> "Indicates a form validation error, or a controller/action mismatch
>> error."
>>
>> well, i / JS hasn't messed with the form (that's what form validation is
>> about right?) and that is being disabled anyway, and it's showing the form
>> in the action simport and posting to that action, all in the same
>> controller.
>>
>> adding this deeply depressing line of code makes my basic form work:
>> $this->Components->unload('Security');
>>
>> How can I get much better details of the error? How can I work with SC in
>> a better way so it is generally on, not disabled around the site for
>> assorted poorly understood reasons..?
>>
>> W
>>
>>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
Don't use it if you think it is a mess and not real security.
You can implement secure forms yourself by using field whitelists and a
csrf token. I rarely use this component and I manage with those pretty fine
On Tuesday, September 9, 2014 3:47:05 AM UTC+2, #2Will wrote:
>
> I've got an app i have been maintaining for a while now. The security
> component causes more headaches than anything else. In fact, because
> cakephp is so nice to work with, i think Security Component (SC) causes all
> the headaches...
>
> I've read through the docs a fair bit, i have bits of code scattered
> around turning off the SC all over the place, which makes me feel sick from
> 2 points of view:
>
> 1. What a mess
> 2. No SC == not great security.
>
>
> One issue is it doesn't seem to give back enough detail on EXACTLY what
> went wrong.
>
> This morning a form that has no JS has decided to blackhole even though
> i'm applying the following fugly hack to ask it to leave me alone
>
>
> $this->Security->allowedControllers = array("people");
> if ( in_array($this->action, array('edit' , 'simport'))){
> $this->Security->validatePost = false;
> }
>
>
> I email myself every time these occur. With "details" of the error.
> Which more or less amount to $type = "auth" - which according to the docs
> means:
>
> "Indicates a form validation error, or a controller/action mismatch error."
>
> well, i / JS hasn't messed with the form (that's what form validation is
> about right?) and that is being disabled anyway, and it's showing the form
> in the action simport and posting to that action, all in the same
> controller.
>
> adding this deeply depressing line of code makes my basic form work:
> $this->Components->unload('Security');
>
> How can I get much better details of the error? How can I work with SC in
> a better way so it is generally on, not disabled around the site for
> assorted poorly understood reasons..?
>
> W
>
>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
