Re: isAuthorized problem with mixed case actions
Thanks for the reply. I will ensure I check agaisnt the lowercase form of the action in my isAuthorized function. On Feb 22, 7:26 pm, cricket wrote: > On Tue, Feb 22, 2011 at 11:35 AM, chris > wrote: > > Whilst going through the security of my application, I've noticed a > > flaw. I'm not sure if this is a cake issue, or just something I need > > to be aware of however. > > > I'm using code from the Bakery for the Sortable behaviour. So I've got > > functions named moveUp and moveDown in my controller. > > > In isAuthorized im doing the following > > > if( $this->action == 'moveUp' || $this->action == 'moveDown'){ > > ..code to check if this is allowed > > } > > > However, I've realised that this can be skipped by calling the actions > > using a lowercase name, e.g. controller/moveup/ will still call the > > moveUp action, but the isAuthroized check will be skipped. > > > At the moment, the best fix I can think of is using strtolower to get > > a lowercase version of the action for checking in the isAuthorized > > function. > > > But is this something that cakePHP should protect agaisnt? > > No, is should be handled in your routine. You need to normalise the > strings (eg. to lowercase). For example, this is how it's handled in > AuthComponent's startrup(): > > $action = strtolower($controller->params['action']); > ... > $allowedActions = array_map('strtolower', $this->allowedActions); > $isAllowed = ($this->allowedActions == array('*') || in_array($action, > $allowedActions)); > > So, if you left it up to setting allowedActions, it'd be handled for > you. But, because you're doing your own isAuthorized() it's up to you > to ensure the strings are the same case. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: isAuthorized problem with mixed case actions
On Tue, Feb 22, 2011 at 11:35 AM, chris wrote: > Whilst going through the security of my application, I've noticed a > flaw. I'm not sure if this is a cake issue, or just something I need > to be aware of however. > > I'm using code from the Bakery for the Sortable behaviour. So I've got > functions named moveUp and moveDown in my controller. > > In isAuthorized im doing the following > > if( $this->action == 'moveUp' || $this->action == 'moveDown'){ > ..code to check if this is allowed > } > > However, I've realised that this can be skipped by calling the actions > using a lowercase name, e.g. controller/moveup/ will still call the > moveUp action, but the isAuthroized check will be skipped. > > At the moment, the best fix I can think of is using strtolower to get > a lowercase version of the action for checking in the isAuthorized > function. > > But is this something that cakePHP should protect agaisnt? No, is should be handled in your routine. You need to normalise the strings (eg. to lowercase). For example, this is how it's handled in AuthComponent's startrup(): $action = strtolower($controller->params['action']); ... $allowedActions = array_map('strtolower', $this->allowedActions); $isAllowed = ($this->allowedActions == array('*') || in_array($action, $allowedActions)); So, if you left it up to setting allowedActions, it'd be handled for you. But, because you're doing your own isAuthorized() it's up to you to ensure the strings are the same case. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
isAuthorized problem with mixed case actions
Whilst going through the security of my application, I've noticed a flaw. I'm not sure if this is a cake issue, or just something I need to be aware of however. I'm using code from the Bakery for the Sortable behaviour. So I've got functions named moveUp and moveDown in my controller. In isAuthorized im doing the following if( $this->action == 'moveUp' || $this->action == 'moveDown'){ ..code to check if this is allowed } However, I've realised that this can be skipped by calling the actions using a lowercase name, e.g. controller/moveup/ will still call the moveUp action, but the isAuthroized check will be skipped. At the moment, the best fix I can think of is using strtolower to get a lowercase version of the action for checking in the isAuthorized function. But is this something that cakePHP should protect agaisnt? -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php