Re: isAuthorized problem with mixed case actions
Thanks for the reply. I will ensure I check agaisnt the lowercase form
of the action in my isAuthorized function.
On Feb 22, 7:26 pm, cricket wrote:
> On Tue, Feb 22, 2011 at 11:35 AM, chris
> wrote:
> > Whilst going through the security of my application, I've noticed a
> > flaw. I'm not sure if this is a cake issue, or just something I need
> > to be aware of however.
>
> > I'm using code from the Bakery for the Sortable behaviour. So I've got
> > functions named moveUp and moveDown in my controller.
>
> > In isAuthorized im doing the following
>
> > if( $this->action == 'moveUp' || $this->action == 'moveDown'){
> > ..code to check if this is allowed
> > }
>
> > However, I've realised that this can be skipped by calling the actions
> > using a lowercase name, e.g. controller/moveup/ will still call the
> > moveUp action, but the isAuthroized check will be skipped.
>
> > At the moment, the best fix I can think of is using strtolower to get
> > a lowercase version of the action for checking in the isAuthorized
> > function.
>
> > But is this something that cakePHP should protect agaisnt?
>
> No, is should be handled in your routine. You need to normalise the
> strings (eg. to lowercase). For example, this is how it's handled in
> AuthComponent's startrup():
>
> $action = strtolower($controller->params['action']);
> ...
> $allowedActions = array_map('strtolower', $this->allowedActions);
> $isAllowed = ($this->allowedActions == array('*') || in_array($action,
> $allowedActions));
>
> So, if you left it up to setting allowedActions, it'd be handled for
> you. But, because you're doing your own isAuthorized() it's up to you
> to ensure the strings are the same case.
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
Re: isAuthorized problem with mixed case actions
On Tue, Feb 22, 2011 at 11:35 AM, chris wrote:
> Whilst going through the security of my application, I've noticed a
> flaw. I'm not sure if this is a cake issue, or just something I need
> to be aware of however.
>
> I'm using code from the Bakery for the Sortable behaviour. So I've got
> functions named moveUp and moveDown in my controller.
>
> In isAuthorized im doing the following
>
> if( $this->action == 'moveUp' || $this->action == 'moveDown'){
> ..code to check if this is allowed
> }
>
> However, I've realised that this can be skipped by calling the actions
> using a lowercase name, e.g. controller/moveup/ will still call the
> moveUp action, but the isAuthroized check will be skipped.
>
> At the moment, the best fix I can think of is using strtolower to get
> a lowercase version of the action for checking in the isAuthorized
> function.
>
> But is this something that cakePHP should protect agaisnt?
No, is should be handled in your routine. You need to normalise the
strings (eg. to lowercase). For example, this is how it's handled in
AuthComponent's startrup():
$action = strtolower($controller->params['action']);
...
$allowedActions = array_map('strtolower', $this->allowedActions);
$isAllowed = ($this->allowedActions == array('*') || in_array($action,
$allowedActions));
So, if you left it up to setting allowedActions, it'd be handled for
you. But, because you're doing your own isAuthorized() it's up to you
to ensure the strings are the same case.
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
isAuthorized problem with mixed case actions
Whilst going through the security of my application, I've noticed a
flaw. I'm not sure if this is a cake issue, or just something I need
to be aware of however.
I'm using code from the Bakery for the Sortable behaviour. So I've got
functions named moveUp and moveDown in my controller.
In isAuthorized im doing the following
if( $this->action == 'moveUp' || $this->action == 'moveDown'){
..code to check if this is allowed
}
However, I've realised that this can be skipped by calling the actions
using a lowercase name, e.g. controller/moveup/ will still call the
moveUp action, but the isAuthroized check will be skipped.
At the moment, the best fix I can think of is using strtolower to get
a lowercase version of the action for checking in the isAuthorized
function.
But is this something that cakePHP should protect agaisnt?
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
