CakePHP 3.0.11 and 3.1.0-beta2 released - security fixes
The CakePHP core team is happy to announce the immediate availability of CakePHP 3.0.11 and 3.1.0-beta2. These releases are a maintenance releases that contain bugfixes and fixes for security issues. Security Fixes -- There are two issues that can impact the security of a CakePHP application: * `Cake\ORM\Query::where()` would allow static methods to be invoked. This could create unintentional side effects, or undesired query manipulation. * `Validation::compare()` and `Validation::range()` would allow specifically crafted data past certain criteria. We'd like to thank 'Kurita Takashi' for contacting us through our [security issue](http://book.cakephp.org/3.0/en/contributing/tickets.html#reporting-security-issues) process about the CsrfComponent issue. We recommend that all users of CakePHP upgrade to 3.0.11 or 3.1.0-beta as soon as possible. Bugfixes In addition to the security issues the following issues have been fixed on both branches: * `Hash::insert()` and `Hash::remove()` now support attribute matchers at all depths. * `Table::get()` supports a `finder` option that allows custom finders to be combined with get(). * Terminal colours are enabled for Windows users using the ConEmu terminal application. * `Query::matching()` operations with no conditions no longer cause errors. * `requestAction()` with array parameters includes all default routing parameters. * `View::prepend()` now supports a capturing mode like `start()`. * Typos in alias names used in `contain()` now trigger exceptions instead of generating incorrect result sets. * `Http\Client` better supports complex multipart requests. * `PaginatorHelper::numbers()` supports a modulus of 0 now. * DateTime instances can be sorted by Collection now. For a deeper insight of what changed, have a look at the [release notes](http://cakephp.org/changelogs/3.0.11). -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: CakePHP 2.6.6 and 3.0.6 Released (security fixes)
Earlier today, we announced the release of 2.6.6. This version contained a syntax error in PHP 5.4. This error has been corrected in 2.6.7. If you are running PHP 5.4.0 you should upgrade to 2.6.7 instead of 2.6.6. In doing the security release, I did not follow our normal process of ensuring that there is a passing build on all supported PHP versions before doing the release. This was a mistake and will not happen again. On Thursday, 28 May 2015 11:57:53 UTC-4, mark_story wrote: The CakePHP core team is ready to announce the immediate availability of CakePHP 2.6.6 and 3.0.6. These are maintenance releases that contain important security fixes. ## Security Fixes Earlier this week we were notified that RequestHandlerComponent had a vulnerability that would allow well crafted requests to create a denial of service attack. RequestHandlerComponent leverages `Xml::build()` which allows reading local files. We recommend that all applications using RequestHandlerComponent upgrade, or disable parsing XML payloads. To disable XML payload parsing you can do the following ```php // In a controller's beforeFilter $this-RequestHandler-addInputType('xml', function() { return []; }); ``` The above code will replace the built-in XML parsing with a no-op function. We'd like to thank Takeshi Terada for notifying us of this security issue using our [Security Issue Process] ( http://book.cakephp.org/3.0/en/contributing/tickets.html#reporting-security-issues ). ## Other Fixes in 2.6.6 * `FormHelper::radio()` now correctly generates ID attributes for radio buttons with multibyte values. * `Inflector::humanize()` and `Inflector::underscore()` work correctly with UTF8 characters now. ## Other Fixes in 3.0.6 * `FormHelper::radio()` now correctly generates ID attributes for radio buttons with multibyte values. * `Inflector::humanize()` and `Inflector::underscore()` work correctly with UTF8 characters now. * URLs in `FormHelper::postLink()` are no longer double encoded. * `PaginatorHelper::numbers()` now supports the `url` option. * Error.trace is now respected when logging exceptions. * The Entity accessors cache introduced in 3.0.3 has been removed. It caused a number of issues and didn't greatly improve performance. * `EntityTrait::getOriginal()` and `EntityTrait::extractOriginal()` now return values that were initially null. * Empty query expressions used in association query builders no longer cause invalid SQL to be generated. As always, a huge thanks to all the community members that helped make this release happen by reporting issues and sending pull requests. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
CakePHP 2.6.6 and 3.0.6 Released (security fixes)
The CakePHP core team is ready to announce the immediate availability of CakePHP 2.6.6 and 3.0.6. These are maintenance releases that contain important security fixes. ## Security Fixes Earlier this week we were notified that RequestHandlerComponent had a vulnerability that would allow well crafted requests to create a denial of service attack. RequestHandlerComponent leverages `Xml::build()` which allows reading local files. We recommend that all applications using RequestHandlerComponent upgrade, or disable parsing XML payloads. To disable XML payload parsing you can do the following ```php // In a controller's beforeFilter $this-RequestHandler-addInputType('xml', function() { return []; }); ``` The above code will replace the built-in XML parsing with a no-op function. We'd like to thank Takeshi Terada for notifying us of this security issue using our [Security Issue Process] (http://book.cakephp.org/3.0/en/contributing/tickets.html#reporting-security-issues). ## Other Fixes in 2.6.6 * `FormHelper::radio()` now correctly generates ID attributes for radio buttons with multibyte values. * `Inflector::humanize()` and `Inflector::underscore()` work correctly with UTF8 characters now. ## Other Fixes in 3.0.6 * `FormHelper::radio()` now correctly generates ID attributes for radio buttons with multibyte values. * `Inflector::humanize()` and `Inflector::underscore()` work correctly with UTF8 characters now. * URLs in `FormHelper::postLink()` are no longer double encoded. * `PaginatorHelper::numbers()` now supports the `url` option. * Error.trace is now respected when logging exceptions. * The Entity accessors cache introduced in 3.0.3 has been removed. It caused a number of issues and didn't greatly improve performance. * `EntityTrait::getOriginal()` and `EntityTrait::extractOriginal()` now return values that were initially null. * Empty query expressions used in association query builders no longer cause invalid SQL to be generated. As always, a huge thanks to all the community members that helped make this release happen by reporting issues and sending pull requests. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
On Mon, Oct 27, 2014 at 10:38 PM, Florian Krämer bur...@doomzone.de wrote: I've turned the idea into an implementation. Proof of concept goes here: https://github.com/burzum/cakephp/commit/9d8f6b4cb7653dd14130af68dbc632e9055d8d76 Cool! I will try this out... Tarique -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
I've turned the idea into an implementation. Proof of concept goes here: https://github.com/burzum/cakephp/commit/9d8f6b4cb7653dd14130af68dbc632e9055d8d76 This will output the dirty fields as a list below the error message. I hope this is going to make it into the core. :) On Sunday, October 19, 2014 12:26:44 AM UTC+2, glk wrote: Florian... What a wonderful idea. Just wish I understood all of Cake well enough to help implement. I've fought with the Security Component many times and, although I've never lost, it has created many headaches. Hope the Development team can add this functionality during debugging. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
Florian... What a wonderful idea. Just wish I understood all of Cake well enough to help implement. I've fought with the Security Component many times and, although I've never lost, it has created many headaches. Hope the Development team can add this functionality during debugging. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
oh, ok. fair enough if it doesn't know it can't tell me. On 12 September 2014 12:32, mark_story mark.st...@gmail.com wrote: One of the issues with the field hashing is that SecurityComponent doesn't know what is wrong either. It just knows that the hash of the data does not match what was generated in the past. -Mark On Monday, 8 September 2014 21:47:05 UTC-4, #2Will wrote: I've got an app i have been maintaining for a while now. The security component causes more headaches than anything else. In fact, because cakephp is so nice to work with, i think Security Component (SC) causes all the headaches... I've read through the docs a fair bit, i have bits of code scattered around turning off the SC all over the place, which makes me feel sick from 2 points of view: 1. What a mess 2. No SC == not great security. One issue is it doesn't seem to give back enough detail on EXACTLY what went wrong. This morning a form that has no JS has decided to blackhole even though i'm applying the following fugly hack to ask it to leave me alone $this-Security-allowedControllers = array(people); if ( in_array($this-action, array('edit' , 'simport'))){ $this-Security-validatePost = false; } I email myself every time these occur. With details of the error. Which more or less amount to $type = auth - which according to the docs means: Indicates a form validation error, or a controller/action mismatch error. well, i / JS hasn't messed with the form (that's what form validation is about right?) and that is being disabled anyway, and it's showing the form in the action simport and posting to that action, all in the same controller. adding this deeply depressing line of code makes my basic form work: $this-Components-unload('Security'); How can I get much better details of the error? How can I work with SC in a better way so it is generally on, not disabled around the site for assorted poorly understood reasons..? W -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to a topic in the Google Groups CakePHP group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/cake-php/xCYXAwaj-XI/unsubscribe. To unsubscribe from this group and all its topics, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout. -- Will Barker 0424 366 468 -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
Mark wouldn't it be possible to keep track of these changes somehow via debug kit? Save the original keys to session and then do the same comparison with the data that the security component does but without the hashing but an array diff instead? On Friday, September 12, 2014 4:32:32 AM UTC+2, mark_story wrote: One of the issues with the field hashing is that SecurityComponent doesn't know what is wrong either. It just knows that the hash of the data does not match what was generated in the past. -Mark On Monday, 8 September 2014 21:47:05 UTC-4, #2Will wrote: I've got an app i have been maintaining for a while now. The security component causes more headaches than anything else. In fact, because cakephp is so nice to work with, i think Security Component (SC) causes all the headaches... I've read through the docs a fair bit, i have bits of code scattered around turning off the SC all over the place, which makes me feel sick from 2 points of view: 1. What a mess 2. No SC == not great security. One issue is it doesn't seem to give back enough detail on EXACTLY what went wrong. This morning a form that has no JS has decided to blackhole even though i'm applying the following fugly hack to ask it to leave me alone $this-Security-allowedControllers = array(people); if ( in_array($this-action, array('edit' , 'simport'))){ $this-Security-validatePost = false; } I email myself every time these occur. With details of the error. Which more or less amount to $type = auth - which according to the docs means: Indicates a form validation error, or a controller/action mismatch error. well, i / JS hasn't messed with the form (that's what form validation is about right?) and that is being disabled anyway, and it's showing the form in the action simport and posting to that action, all in the same controller. adding this deeply depressing line of code makes my basic form work: $this-Components-unload('Security'); How can I get much better details of the error? How can I work with SC in a better way so it is generally on, not disabled around the site for assorted poorly understood reasons..? W -- This email may contain material that is confidential, privileged and/or work product for the sole use of the intended recipient. Any review, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. Cake Development Corporation. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Cake 3 Security Component black holes add with associations
Any progress? Is there something I did wrong? Did I discover a bug? Thanks for your assistance On Thursday, September 4, 2014 2:28:46 PM UTC+7, José Lorenzo wrote: I will try to reproduce your use case this evening and see if you found a bug. On Wednesday, September 3, 2014 11:40:00 PM UTC+2, heavyKevy wrote: No, following is the add.ctp: echo $this-Form-input('name'); $Selected =0; if($role != 'admin' $role != 'prog-admin') { $Selected = $this-resortId; } echo $this-Form-input('user_id', ['title'='Promotion Resort/Program','options' = $resorts, 'selected'=$Selected]); echo $this-Form-input('start_date'); echo $this-Form-input('end_date'); echo $this-Form-input('passes_allowed'); echo 'Use Shift and/or Control to select as many dealers as needed.'; echo $this-Form-input('users._ids', ['title'='Associated Dealers','options' = $dealers]); On Thu, Sep 4, 2014 at 4:20 AM, José Lorenzo jose...@gmail.com javascript: wrote: Are you creating the second control with javascript? On Wednesday, September 3, 2014 11:09:19 PM UTC+2, heavyKevy wrote: I have promotions owned by a user and associated with other users. The Add screen gives a Select control for selecting the owner and a multi-select for selecting the associated users. In PromotionsTable:: public function initialize(array $config) { $this-table('promotions'); $this-displayField('name'); $this-primaryKey('id'); $this-belongsTo('Users', [ 'foreignKey' = 'user_id', ]); $this-belongsToMany('Users', [ 'foreignKey' = 'promotion_id', 'targetForeignKey' = 'user_id', 'joinTable' = 'promotions_users', ]); } Data saves fine if the security component is not loaded... black holes the request otherwise... Is this a bug or is this by design? -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to a topic in the Google Groups CakePHP group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/cake-php/yVBlSRaGTGI/unsubscribe. To unsubscribe from this group and all its topics, send an email to cake-php+u...@googlegroups.com javascript:. To post to this group, send email to cake...@googlegroups.com javascript:. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
One of the issues with the field hashing is that SecurityComponent doesn't know what is wrong either. It just knows that the hash of the data does not match what was generated in the past. -Mark On Monday, 8 September 2014 21:47:05 UTC-4, #2Will wrote: I've got an app i have been maintaining for a while now. The security component causes more headaches than anything else. In fact, because cakephp is so nice to work with, i think Security Component (SC) causes all the headaches... I've read through the docs a fair bit, i have bits of code scattered around turning off the SC all over the place, which makes me feel sick from 2 points of view: 1. What a mess 2. No SC == not great security. One issue is it doesn't seem to give back enough detail on EXACTLY what went wrong. This morning a form that has no JS has decided to blackhole even though i'm applying the following fugly hack to ask it to leave me alone $this-Security-allowedControllers = array(people); if ( in_array($this-action, array('edit' , 'simport'))){ $this-Security-validatePost = false; } I email myself every time these occur. With details of the error. Which more or less amount to $type = auth - which according to the docs means: Indicates a form validation error, or a controller/action mismatch error. well, i / JS hasn't messed with the form (that's what form validation is about right?) and that is being disabled anyway, and it's showing the form in the action simport and posting to that action, all in the same controller. adding this deeply depressing line of code makes my basic form work: $this-Components-unload('Security'); How can I get much better details of the error? How can I work with SC in a better way so it is generally on, not disabled around the site for assorted poorly understood reasons..? W -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
Don't use it if you think it is a mess and not real security. You can implement secure forms yourself by using field whitelists and a csrf token. I rarely use this component and I manage with those pretty fine On Tuesday, September 9, 2014 3:47:05 AM UTC+2, #2Will wrote: I've got an app i have been maintaining for a while now. The security component causes more headaches than anything else. In fact, because cakephp is so nice to work with, i think Security Component (SC) causes all the headaches... I've read through the docs a fair bit, i have bits of code scattered around turning off the SC all over the place, which makes me feel sick from 2 points of view: 1. What a mess 2. No SC == not great security. One issue is it doesn't seem to give back enough detail on EXACTLY what went wrong. This morning a form that has no JS has decided to blackhole even though i'm applying the following fugly hack to ask it to leave me alone $this-Security-allowedControllers = array(people); if ( in_array($this-action, array('edit' , 'simport'))){ $this-Security-validatePost = false; } I email myself every time these occur. With details of the error. Which more or less amount to $type = auth - which according to the docs means: Indicates a form validation error, or a controller/action mismatch error. well, i / JS hasn't messed with the form (that's what form validation is about right?) and that is being disabled anyway, and it's showing the form in the action simport and posting to that action, all in the same controller. adding this deeply depressing line of code makes my basic form work: $this-Components-unload('Security'); How can I get much better details of the error? How can I work with SC in a better way so it is generally on, not disabled around the site for assorted poorly understood reasons..? W -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
I think my hacks to avoid black holes is a mess. I'm sure the component is ace. It does however give off a lot of false positives and looking round the web, not just for me. With that in mind, it would be awesome if it was more expressive about what triggered it. Also, it's awkward having it and then not using it. Once the site gets hacked, ill have to stand at the front and tell all the others why i didn't use the security component. I do a lot of other stuff to white list fields etc to mitigate this (and the site gets penetration tested and hasn't been completely owned yet) so there is some effort going into doing it properly. W On Tuesday, 9 September 2014 18:23:39 UTC+10, José Lorenzo wrote: Don't use it if you think it is a mess and not real security. You can implement secure forms yourself by using field whitelists and a csrf token. I rarely use this component and I manage with those pretty fine On Tuesday, September 9, 2014 3:47:05 AM UTC+2, #2Will wrote: I've got an app i have been maintaining for a while now. The security component causes more headaches than anything else. In fact, because cakephp is so nice to work with, i think Security Component (SC) causes all the headaches... I've read through the docs a fair bit, i have bits of code scattered around turning off the SC all over the place, which makes me feel sick from 2 points of view: 1. What a mess 2. No SC == not great security. One issue is it doesn't seem to give back enough detail on EXACTLY what went wrong. This morning a form that has no JS has decided to blackhole even though i'm applying the following fugly hack to ask it to leave me alone $this-Security-allowedControllers = array(people); if ( in_array($this-action, array('edit' , 'simport'))){ $this-Security-validatePost = false; } I email myself every time these occur. With details of the error. Which more or less amount to $type = auth - which according to the docs means: Indicates a form validation error, or a controller/action mismatch error. well, i / JS hasn't messed with the form (that's what form validation is about right?) and that is being disabled anyway, and it's showing the form in the action simport and posting to that action, all in the same controller. adding this deeply depressing line of code makes my basic form work: $this-Components-unload('Security'); How can I get much better details of the error? How can I work with SC in a better way so it is generally on, not disabled around the site for assorted poorly understood reasons..? W -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Security Component is Ruining my Life
I've got an app i have been maintaining for a while now. The security component causes more headaches than anything else. In fact, because cakephp is so nice to work with, i think Security Component (SC) causes all the headaches... I've read through the docs a fair bit, i have bits of code scattered around turning off the SC all over the place, which makes me feel sick from 2 points of view: 1. What a mess 2. No SC == not great security. One issue is it doesn't seem to give back enough detail on EXACTLY what went wrong. This morning a form that has no JS has decided to blackhole even though i'm applying the following fugly hack to ask it to leave me alone $this-Security-allowedControllers = array(people); if ( in_array($this-action, array('edit' , 'simport'))){ $this-Security-validatePost = false; } I email myself every time these occur. With details of the error. Which more or less amount to $type = auth - which according to the docs means: Indicates a form validation error, or a controller/action mismatch error. well, i / JS hasn't messed with the form (that's what form validation is about right?) and that is being disabled anyway, and it's showing the form in the action simport and posting to that action, all in the same controller. adding this deeply depressing line of code makes my basic form work: $this-Components-unload('Security'); How can I get much better details of the error? How can I work with SC in a better way so it is generally on, not disabled around the site for assorted poorly understood reasons..? W -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Cake 3 Security Component black holes add with associations
I will try to reproduce your use case this evening and see if you found a bug. On Wednesday, September 3, 2014 11:40:00 PM UTC+2, heavyKevy wrote: No, following is the add.ctp: echo $this-Form-input('name'); $Selected =0; if($role != 'admin' $role != 'prog-admin') { $Selected = $this-resortId; } echo $this-Form-input('user_id', ['title'='Promotion Resort/Program','options' = $resorts, 'selected'=$Selected]); echo $this-Form-input('start_date'); echo $this-Form-input('end_date'); echo $this-Form-input('passes_allowed'); echo 'Use Shift and/or Control to select as many dealers as needed.'; echo $this-Form-input('users._ids', ['title'='Associated Dealers','options' = $dealers]); On Thu, Sep 4, 2014 at 4:20 AM, José Lorenzo jose@gmail.com wrote: Are you creating the second control with javascript? On Wednesday, September 3, 2014 11:09:19 PM UTC+2, heavyKevy wrote: I have promotions owned by a user and associated with other users. The Add screen gives a Select control for selecting the owner and a multi-select for selecting the associated users. In PromotionsTable:: public function initialize(array $config) { $this-table('promotions'); $this-displayField('name'); $this-primaryKey('id'); $this-belongsTo('Users', [ 'foreignKey' = 'user_id', ]); $this-belongsToMany('Users', [ 'foreignKey' = 'promotion_id', 'targetForeignKey' = 'user_id', 'joinTable' = 'promotions_users', ]); } Data saves fine if the security component is not loaded... black holes the request otherwise... Is this a bug or is this by design? -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to a topic in the Google Groups CakePHP group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/cake-php/yVBlSRaGTGI/unsubscribe. To unsubscribe from this group and all its topics, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Cake 3 Security Component black holes add with associations
Ok, Thank you... On Thursday, September 4, 2014 4:09:19 AM UTC+7, heavyKevy wrote: I have promotions owned by a user and associated with other users. The Add screen gives a Select control for selecting the owner and a multi-select for selecting the associated users. In PromotionsTable:: public function initialize(array $config) { $this-table('promotions'); $this-displayField('name'); $this-primaryKey('id'); $this-belongsTo('Users', [ 'foreignKey' = 'user_id', ]); $this-belongsToMany('Users', [ 'foreignKey' = 'promotion_id', 'targetForeignKey' = 'user_id', 'joinTable' = 'promotions_users', ]); } Data saves fine if the security component is not loaded... black holes the request otherwise... Is this a bug or is this by design? -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Cake 3 Security Component black holes add with associations
I have promotions owned by a user and associated with other users. The Add screen gives a Select control for selecting the owner and a multi-select for selecting the associated users. In PromotionsTable:: public function initialize(array $config) { $this-table('promotions'); $this-displayField('name'); $this-primaryKey('id'); $this-belongsTo('Users', [ 'foreignKey' = 'user_id', ]); $this-belongsToMany('Users', [ 'foreignKey' = 'promotion_id', 'targetForeignKey' = 'user_id', 'joinTable' = 'promotions_users', ]); } Data saves fine if the security component is not loaded... black holes the request otherwise... Is this a bug or is this by design? -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Cake 3 Security Component black holes add with associations
Are you creating the second control with javascript? On Wednesday, September 3, 2014 11:09:19 PM UTC+2, heavyKevy wrote: I have promotions owned by a user and associated with other users. The Add screen gives a Select control for selecting the owner and a multi-select for selecting the associated users. In PromotionsTable:: public function initialize(array $config) { $this-table('promotions'); $this-displayField('name'); $this-primaryKey('id'); $this-belongsTo('Users', [ 'foreignKey' = 'user_id', ]); $this-belongsToMany('Users', [ 'foreignKey' = 'promotion_id', 'targetForeignKey' = 'user_id', 'joinTable' = 'promotions_users', ]); } Data saves fine if the security component is not loaded... black holes the request otherwise... Is this a bug or is this by design? -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Cake 3 Security Component black holes add with associations
No, following is the add.ctp: echo $this-Form-input('name'); $Selected =0; if($role != 'admin' $role != 'prog-admin') { $Selected = $this-resortId; } echo $this-Form-input('user_id', ['title'='Promotion Resort/Program','options' = $resorts, 'selected'=$Selected]); echo $this-Form-input('start_date'); echo $this-Form-input('end_date'); echo $this-Form-input('passes_allowed'); echo 'Use Shift and/or Control to select as many dealers as needed.'; echo $this-Form-input('users._ids', ['title'='Associated Dealers','options' = $dealers]); On Thu, Sep 4, 2014 at 4:20 AM, José Lorenzo jose@gmail.com wrote: Are you creating the second control with javascript? On Wednesday, September 3, 2014 11:09:19 PM UTC+2, heavyKevy wrote: I have promotions owned by a user and associated with other users. The Add screen gives a Select control for selecting the owner and a multi-select for selecting the associated users. In PromotionsTable:: public function initialize(array $config) { $this-table('promotions'); $this-displayField('name'); $this-primaryKey('id'); $this-belongsTo('Users', [ 'foreignKey' = 'user_id', ]); $this-belongsToMany('Users', [ 'foreignKey' = 'promotion_id', 'targetForeignKey' = 'user_id', 'joinTable' = 'promotions_users', ]); } Data saves fine if the security component is not loaded... black holes the request otherwise... Is this a bug or is this by design? -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to a topic in the Google Groups CakePHP group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/cake-php/yVBlSRaGTGI/unsubscribe. To unsubscribe from this group and all its topics, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security salt issue
I'd use the value from your old installation as it is used to encrypt passwords - if the salt is different no one will be able to log in as the encrypted version of the password they enter will not match the encrypted value stored in the database. On 23 Aug 2014, at 03:25, 'Dallas' via CakePHP cake-php@googlegroups.com wrote: I installed a new version of Cakephp 2.5.3 and am migrating old files. When I first set up I used a new security salt number then I changed to the salt number from the older version I was migrating because I read that I should do this. Now I am getting this message: Notice (1024): Please change the value of 'Security.salt' in APP/Config/core.php to a salt value specific to your application. [CORE/Cake/Utility/Debugger.php, line 846] Is there a way I can correct this - or should I re-instal and put former salt value in so it gets set right? Is there a way to correct this in the database? Thank you. Dallas -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security salt issue
Thank you Jeremy for getting back to me. I do want to keep the security salt from the old installation. On this site I am the only one who logs in. But specifically will the error message affect my site. I browsed the database and the only encrypted number I thought it could be was the password for the administrator. Is there somewhere I could add the security salt to the database so that I no longer get the error message? Or do I just ignore? Thanks again. On Friday, August 22, 2014 10:25:20 PM UTC-4, Dallas wrote: I installed a new version of Cakephp 2.5.3 and am migrating old files. When I first set up I used a new security salt number then I changed to the salt number from the older version I was migrating because I read that I should do this. Now I am getting this message: http://cakephp.org/changelogs/2.5.3 *Notice* (1024): Please change the value of 'Security.salt' in APP/Config/core.php to a salt value specific to your application. [*CORE/Cake/Utility/Debugger.php*, line *846*] Is there a way I can correct this - or should I re-instal and put former salt value in so it gets set right? Is there a way to correct this in the database? Thank you. Dallas -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Security salt issue
I installed a new version of Cakephp 2.5.3 and am migrating old files. When I first set up I used a new security salt number then I changed to the salt number from the older version I was migrating because I read that I should do this. Now I am getting this message: http://cakephp.org/changelogs/2.5.3 *Notice* (1024): Please change the value of 'Security.salt' in APP/Config/core.php to a salt value specific to your application. [*CORE/Cake/Utility/Debugger.php*, line *846*] Is there a way I can correct this - or should I re-instal and put former salt value in so it gets set right? Is there a way to correct this in the database? Thank you. Dallas -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security component and SQL Injection
@Jose: good to know ... logical cause of the dropped table was someone getting their hands on the database login credentials. @Dakota: thanks, will keep an eye out for that, not that it's a factor in this situation. On Friday, June 13, 2014 4:52:22 AM UTC+1, Dakota wrote: Just one thing to note is that the updateall method doesn't do all escaping. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security component and SQL Injection
No, the security component does not prevent you against that. There most be some place where you are passing raw input into a query. On Thursday, June 12, 2014 1:28:03 AM UTC+2, phpMagpie wrote: Hi, I've just launched a site for a client that had quite a big form in it that people were spending a long time trying to complete. Because some people were walking away form the form then coming back later and trying to submit their security tokens were expiring so the client asked me to disable security for that form. I did the following: if ($this-request-action == 'add') { $this-Security-validatePost = false; $this-Security-csrfCheck = false; } Fast forward to this evening and someone has managed to delete the users table from the database. Could disabling validatePost and csrfCheck have allowed someone to do SQL Inject a table drop? Thanks, Paul. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security component and SQL Injection
I personally do not think the site was the victim of an SQL Injection as I am not passing any raw queries into the system anywhere. The more realistic cause of the problem is I shared phpMyAdmin user details with the client and they accidentally deleted the table themselves, or the login details were made available to someone else who did this. If this was an injection attack, I would expect them to do more than remove one table from one database. I don't like to jump to conclusions though, so just wanted to know if my configuration has somehow opened up the possibility of SQL Injection. Thanks, Paul. On Thursday, 12 June 2014 11:36:00 UTC+1, José Lorenzo wrote: No, the security component does not prevent you against that. There most be some place where you are passing raw input into a query. On Thursday, June 12, 2014 1:28:03 AM UTC+2, phpMagpie wrote: Hi, I've just launched a site for a client that had quite a big form in it that people were spending a long time trying to complete. Because some people were walking away form the form then coming back later and trying to submit their security tokens were expiring so the client asked me to disable security for that form. I did the following: if ($this-request-action == 'add') { $this-Security-validatePost = false; $this-Security-csrfCheck = false; } Fast forward to this evening and someone has managed to delete the users table from the database. Could disabling validatePost and csrfCheck have allowed someone to do SQL Inject a table drop? Thanks, Paul. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security component and SQL Injection
As long as you are using the Model API and not passing raw strings of SQL to it then you should be safe On Thursday, June 12, 2014 12:56:10 PM UTC+2, phpMagpie wrote: I personally do not think the site was the victim of an SQL Injection as I am not passing any raw queries into the system anywhere. The more realistic cause of the problem is I shared phpMyAdmin user details with the client and they accidentally deleted the table themselves, or the login details were made available to someone else who did this. If this was an injection attack, I would expect them to do more than remove one table from one database. I don't like to jump to conclusions though, so just wanted to know if my configuration has somehow opened up the possibility of SQL Injection. Thanks, Paul. On Thursday, 12 June 2014 11:36:00 UTC+1, José Lorenzo wrote: No, the security component does not prevent you against that. There most be some place where you are passing raw input into a query. On Thursday, June 12, 2014 1:28:03 AM UTC+2, phpMagpie wrote: Hi, I've just launched a site for a client that had quite a big form in it that people were spending a long time trying to complete. Because some people were walking away form the form then coming back later and trying to submit their security tokens were expiring so the client asked me to disable security for that form. I did the following: if ($this-request-action == 'add') { $this-Security-validatePost = false; $this-Security-csrfCheck = false; } Fast forward to this evening and someone has managed to delete the users table from the database. Could disabling validatePost and csrfCheck have allowed someone to do SQL Inject a table drop? Thanks, Paul. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security component and SQL Injection
Just one thing to note is that the updateall method doesn't do all escaping. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Security component and SQL Injection
Hi, I've just launched a site for a client that had quite a big form in it that people were spending a long time trying to complete. Because some people were walking away form the form then coming back later and trying to submit their security tokens were expiring so the client asked me to disable security for that form. I did the following: if ($this-request-action == 'add') { $this-Security-validatePost = false; $this-Security-csrfCheck = false; } Fast forward to this evening and someone has managed to delete the users table from the database. Could disabling validatePost and csrfCheck have allowed someone to do SQL Inject a table drop? Thanks, Paul. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security component and SQL Injection
I thought it would more depend on how you are writing changes to the database. If you're going via the model, with ::create and ::save methods, then users shouldn't be able to inject a truncate or drop. I say shouldn't because that is my understanding of how it is supposed to work, but I've never gone out of my way to test it. However, if you're using ::query, then that might be possible, if queries are not appropriately sanitized. Regards Reuben Helms On Thursday, 12 June 2014 09:28:03 UTC+10, phpMagpie wrote: Hi, I've just launched a site for a client that had quite a big form in it that people were spending a long time trying to complete. Because some people were walking away form the form then coming back later and trying to submit their security tokens were expiring so the client asked me to disable security for that form. I did the following: if ($this-request-action == 'add') { $this-Security-validatePost = false; $this-Security-csrfCheck = false; } Fast forward to this evening and someone has managed to delete the users table from the database. Could disabling validatePost and csrfCheck have allowed someone to do SQL Inject a table drop? Thanks, Paul. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security component and SQL Injection
Yeah, everything is done via Model::save() and your understanding is the same as mine. If anyone does know otherwise would be good to know. Thanks, Paul. On Thursday, 12 June 2014 01:17:12 UTC+1, Reuben wrote: I thought it would more depend on how you are writing changes to the database. If you're going via the model, with ::create and ::save methods, then users shouldn't be able to inject a truncate or drop. I say shouldn't because that is my understanding of how it is supposed to work, but I've never gone out of my way to test it. However, if you're using ::query, then that might be possible, if queries are not appropriately sanitized. Regards Reuben Helms On Thursday, 12 June 2014 09:28:03 UTC+10, phpMagpie wrote: Hi, I've just launched a site for a client that had quite a big form in it that people were spending a long time trying to complete. Because some people were walking away form the form then coming back later and trying to submit their security tokens were expiring so the client asked me to disable security for that form. I did the following: if ($this-request-action == 'add') { $this-Security-validatePost = false; $this-Security-csrfCheck = false; } Fast forward to this evening and someone has managed to delete the users table from the database. Could disabling validatePost and csrfCheck have allowed someone to do SQL Inject a table drop? Thanks, Paul. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Is admin_ prefix a security or just convenient?
I understand a user can not directly access mysite.com/users/admin_index Instead they go to mysite.com/admin/users/index But, is there any automatic security checking? Because anyone can type in mysite.com/admin/users/index Is it still up to the UsersController to filter out unauthorized users? such as have an IsAuthorized setting, or the function admin_index still needs to check the user's privileges and reject the request if the user doesn't have admin privs? In which case I don't see the advantage of using the admin_ prefix. Seems like a big security problem if every controller function needs to check the user's privileges. Is there a better way I'm missing? Can IsAuthorized somehow say only admin users are allowed to run admin functions? -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.
Re: Is admin_ prefix a security or just convenient?
Prefix is a convenience in which you can have the option to build up security for it, that's why it's named prefix rather than admin, it's just admin is a very common prefix. Some people like to make their prefixes obscure (Security through obscurity), i.e. rather than type admin/users/index you would need to type acp/users/index (i.e. admin control panel). As for the security part of things, there are all sorts of ways of going about this. A common way is to check if the admin prefix is in use in your app controller's beforeFilter method, if the user is accessing the admin prefix then you simply check their user_type_id field. if($this-params['prefix'] == 'admin') { if($this-Auth-user('user_type_id') != Configure::read('AdminTypeId)) { // User does not have access to this page, redirect them etc } $this-layout = 'name_of_admin_layout'; } *In the above example I used Configure::read, that's just because I don't like to check against foreign keys in my code, I prefer to store them in a config file so if I reference an id more than once - I don't need to update it several times.* The benefit of this is that you only ever have to check if the person accessing /admin/... has permission in once place. You're basically just checking the user's session in a very non-taxing way which has no real strain on the application. isAuthorized can be used on login ideally, an example usage would be if you had a banned or deleted field in your database table, you can check these fields and decide what to do, for example: public function isAuthorized($user) { if($user['deleted']) { $this-Session-setFlash('This account has been deleted.', null, null, 'auth'); $this-redirect($this-Auth-logout()); return false; } return true;} In short I think using a prefix is pretty useful and great for admin sections, you can separate your admin methods from your regular methods and you don't need to check permissions all over the place. The worst admin integration would have to be once I saw somebody made an admin controller which was pretty nasty... On 3 January 2014 15:52, David Deley deleyda...@gmail.com wrote: I understand a user can not directly access mysite.com/users/admin_index Instead they go to mysite.com/admin/users/index But, is there any automatic security checking? Because anyone can type in mysite.com/admin/users/index Is it still up to the UsersController to filter out unauthorized users? such as have an IsAuthorized setting, or the function admin_index still needs to check the user's privileges and reject the request if the user doesn't have admin privs? In which case I don't see the advantage of using the admin_ prefix. Seems like a big security problem if every controller function needs to check the user's privileges. Is there a better way I'm missing? Can IsAuthorized somehow say only admin users are allowed to run admin functions? -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out. -- Kind Regards Stephen Speakman -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.
Re: Security Component Question
Check the Code http://api.cakephp.org/2.4/source-class-SecurityComponent.html#322-338 Blackholing is nothing more than throwing a BadRequestException or triggering a callback. I would not use an exception in that place. On Friday, December 27, 2013 7:37:24 PM UTC+1, advantage+ wrote: Is there a way to force call blackhole based on model validation rules? I have a validation method that I would like to call the blackhole if it fails. Thanks, Dave -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.
Security Component Help
I want to make action requests more secure by implementing the Restricting HTTP methods { requirePost(),requireGet(), requirePut(), requireDelete()} but running into a bit of an issue. For an add request for example via ajax I have to fetch the form (get) and load it into the colorbox, and save the input gets sent as post. So the add method invokes 2 separate HTTP methods. Other than break the public function add() into 2 separate functions such as public function load() // fetch the form via get and then public function save()// post to save the data Is there another way to accomplish this without having to break up the function? I currently have: public function save(){ //load the form if($this-request-is('ajax') $this-request-is('get')) { . } //save the form if (!empty($this-request-data) $this-request-is('post')) { .. } } Any ideas anyone the best way to handle this? Thanks, Dave -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.
Security Component Question
Is there a way to force call blackhole based on model validation rules? I have a validation method that I would like to call the blackhole if it fails. Thanks, Dave -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.
Re: New Member - Basic Security Questions!
You can also find some information on http://www.dereuromark.de/2010/10/05/cakephp-security/ Basically sanitizing was often used too eagerly, instead of using validation (which also usually is used too restrictive) and sane output escaping. Use whitelisting for security sensitive views - or use RequestHandler if possible. Escape all plain output on display - clean HTML output on save. Nothing more to do usually. If you want to test your application against attacks, try SQL injection and XSS snippets and see if they go through. They shouldn't :) Am Mittwoch, 9. Oktober 2013 08:02:09 UTC+2 schrieb Reuben: Hi Matthew With regards to Q1, I remember reading something to the effect that there are other tools that do the job better. There was a detailed article somewhere, but I can't locate it at the moment. As the web reference you gave states, Sanitize was destructive, instead of just making sure the data submitted was okay. Models still sanitize their data, so Little Bobby Tables shouldn't get through. There's usage of h() for output, HTML Purifier for HTML input (though I've never used it) and the Security Component with the Form Helper to prevent tampering with form input. I've never used CakePHPs Security Component, but I have used other frameworks with a similar concept. Usage of the component depends on how dynamic your forms are. If you're adding form elements on the fly, then the security component might not work so well for those particular forms. Cake Validation just improves the quality of your input, but I wouldn't rely on it for any sort of security check. Your best bet for security is unit and integration tests. Check out the CakePHP tests that test security. Write your own tests for your own forms to satisfy yourself that malicious form data will get caught. On Wednesday, 9 October 2013 04:48:22 UTC+10, schenke...@gmail.com wrote: Greetings, I am new to this community -- and to CakePHP itself. I have been testing a long list of PHP frameworks (CodeIgniter, Laravel, Symfony, Yii) and find myself really attracted to Cake because of the logic of how it works. It just makes sense to me! OK, for my actual questions on security... 1. I'm confused about about the Cake documentation entry stating that the Sanitize element is no longer being maintained ( http://book.cakephp.org/2.0/en/core-utility-libraries/sanitize.html). Is this because it is no longer needed, or is it because we are expected to find an external library for this purpose? 2. Is it enough to use this combination of elements in my apps: (a) FormHelperhttp://book.cakephp.org/2.0/en/core-libraries/helpers/form.html (b) SecurityComponenthttp://book.cakephp.org/2.0/en/core-libraries/components/security-component.html (c) Cake Validationhttp://book.cakephp.org/2.0/en/models/data-validation.html I know security is a very big topic. And I know we can never be 100% certain we have covered everything. But when do Cake developers generally reach that balance where they have done enough? Thanks, Matthew -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.
Re: New Member - Basic Security Questions!
Hi Matthew With regards to Q1, I remember reading something to the effect that there are other tools that do the job better. There was a detailed article somewhere, but I can't locate it at the moment. As the web reference you gave states, Sanitize was destructive, instead of just making sure the data submitted was okay. Models still sanitize their data, so Little Bobby Tables shouldn't get through. There's usage of h() for output, HTML Purifier for HTML input (though I've never used it) and the Security Component with the Form Helper to prevent tampering with form input. I've never used CakePHPs Security Component, but I have used other frameworks with a similar concept. Usage of the component depends on how dynamic your forms are. If you're adding form elements on the fly, then the security component might not work so well for those particular forms. Cake Validation just improves the quality of your input, but I wouldn't rely on it for any sort of security check. Your best bet for security is unit and integration tests. Check out the CakePHP tests that test security. Write your own tests for your own forms to satisfy yourself that malicious form data will get caught. On Wednesday, 9 October 2013 04:48:22 UTC+10, schenke...@gmail.com wrote: Greetings, I am new to this community -- and to CakePHP itself. I have been testing a long list of PHP frameworks (CodeIgniter, Laravel, Symfony, Yii) and find myself really attracted to Cake because of the logic of how it works. It just makes sense to me! OK, for my actual questions on security... 1. I'm confused about about the Cake documentation entry stating that the Sanitize element is no longer being maintained ( http://book.cakephp.org/2.0/en/core-utility-libraries/sanitize.html). Is this because it is no longer needed, or is it because we are expected to find an external library for this purpose? 2. Is it enough to use this combination of elements in my apps: (a) FormHelperhttp://book.cakephp.org/2.0/en/core-libraries/helpers/form.html (b) SecurityComponenthttp://book.cakephp.org/2.0/en/core-libraries/components/security-component.html (c) Cake Validationhttp://book.cakephp.org/2.0/en/models/data-validation.html I know security is a very big topic. And I know we can never be 100% certain we have covered everything. But when do Cake developers generally reach that balance where they have done enough? Thanks, Matthew -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.
New to Cake -- Security Questions
Greetings, I am new to CakePHP. I've tested several other frameworks (Laravel, CodeIgniter, Symfony, Yii, and even a clever little one called PHPixie). My choice is to go with CakePHP for various reasons, but mostly because it makes sense to me. I like everything I see about CakePHP, but I am wondering how experienced Cake developers handle security. I know that this is a big topic and there is no single answer, but what are the general steps you take to secure an app in CakePHP? I am talking about an app where I will be accepting form inputs from logged-in users. Here's what I understand so far: 1. I really like the Cake Data Validation classhttp://book.cakephp.org/2.0/en/models/data-validation.html. This seems to allow very nice control of form inputs. 2. I'm confused about the removal of the Data Sanitization toolhttp://book.cakephp.org/2.0/en/core-utility-libraries/sanitize.html. Was this done because there are better built-in methods for this, or is it because the framework no longer handles sanitization? Can anyone please shed some light on general good practices on securing CakePHP apps? Thank you! Matthew -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.
Re: New to Cake -- Security Questions
Sorry for the double post! My previous post seemed lost until after I posted this one! On Wednesday, October 9, 2013 12:48:03 PM UTC-4, schenke...@gmail.com wrote: Greetings, I am new to CakePHP. I've tested several other frameworks (Laravel, CodeIgniter, Symfony, Yii, and even a clever little one called PHPixie). My choice is to go with CakePHP for various reasons, but mostly because it makes sense to me. I like everything I see about CakePHP, but I am wondering how experienced Cake developers handle security. I know that this is a big topic and there is no single answer, but what are the general steps you take to secure an app in CakePHP? I am talking about an app where I will be accepting form inputs from logged-in users. Here's what I understand so far: 1. I really like the Cake Data Validation classhttp://book.cakephp.org/2.0/en/models/data-validation.html. This seems to allow very nice control of form inputs. 2. I'm confused about the removal of the Data Sanitization toolhttp://book.cakephp.org/2.0/en/core-utility-libraries/sanitize.html. Was this done because there are better built-in methods for this, or is it because the framework no longer handles sanitization? Can anyone please shed some light on general good practices on securing CakePHP apps? Thank you! Matthew -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.
New Member - Basic Security Questions!
Greetings, I am new to this community -- and to CakePHP itself. I have been testing a long list of PHP frameworks (CodeIgniter, Laravel, Symfony, Yii) and find myself really attracted to Cake because of the logic of how it works. It just makes sense to me! OK, for my actual questions on security... 1. I'm confused about about the Cake documentation entry stating that the Sanitize element is no longer being maintained (http://book.cakephp.org/2.0/en/core-utility-libraries/sanitize.html). Is this because it is no longer needed, or is it because we are expected to find an external library for this purpose? 2. Is it enough to use this combination of elements in my apps: (a) FormHelperhttp://book.cakephp.org/2.0/en/core-libraries/helpers/form.html (b) SecurityComponenthttp://book.cakephp.org/2.0/en/core-libraries/components/security-component.html (c) Cake Validationhttp://book.cakephp.org/2.0/en/models/data-validation.html I know security is a very big topic. And I know we can never be 100% certain we have covered everything. But when do Cake developers generally reach that balance where they have done enough? Thanks, Matthew -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.
Ajax / CRSF / Security
I created a plugin that handles all security issues with Cake / Ajax requests. Simply add a $this_secureForm() which adds a _key and it adds a token to the form and on request the _key matches the users _lock Controller will generate a new key on every request. All though it will not handle dynamic fields if added. But if you have a form with set fields it will grab the field names, hash them and call it a lock and compare it to the key on every request.. Dave Maharaj Freelance Designer | Developer Description: header_logo www.movepixels.com | mailto:d...@movepixels.com d...@movepixels.com | 709.800.0852 From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf Of euromark Sent: Friday, August 16, 2013 5:10 PM To: cake-php@googlegroups.com Subject: Re: bootstrap twitter typeahead , dont work for me in cakephp Never create a new response object there is already one available in your controller just use $this-response-body($content); as documented Am Freitag, 16. August 2013 19:16:32 UTC+2 schrieb cesar calvo: I use this in my AppController public function jsonResponse($array) { return new CakeResponse(array('body' = json_encode($array))); } Then on a controller call jsonResponse Note: if you are usin Security component on beforeFilter: if ($this-request-is('ajax')) $this-Security-unlockedActions = array($this-request-action); On Thursday, August 15, 2013 11:03:34 PM UTC-3, Renato Bigliazzi wrote: Hi , I can not do the twitter bootstrap component typeahead work with cake. i use https://github.com/rudylee/cbunny , but dont work form me. In my view JS script type=text/javascript $(document).ready(function(){ $('#itemdesc').typeahead({ source: function (query, process) { return $.ajax({ url:'?php echo Router::url(array('controller'='Invoices','action'='localizaprodutos'));? ', type: 'get', data: {q: query}, dataType: 'json', success: function (json) { return process(json); } }); } }); }); /script HTML input type=text name=itemdesc[] class=input-large id=itemdesc data-provide=typeahead/ and controller public function localizaprodutos(){ $this-autoRender = false; $this-RequestHandler-respondAs('json'); // get the search term from URL $term = $this-request-query['q']; $users = $this-Invoice-Invoicedetail-Inventoryitem-find('all',array( 'conditions' = array( 'Inventoryitem.desc LIKE' = '%'.$term.'%' ) )); // Format the result for select2 $result = array(); foreach($produtos as $key = $produto) { array_push($result, $produto['Inventoryitem']['desc']); } $produtos = $result; echo json_encode($produtos); } Thanks Renato -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out. image001.jpg
Security and Ajax
I know forms submitted via ajax that the security component does not work. (Checking for edits / tampering) What is the reason for this? I understand if you add fields dynamically why it would not work because of the hashed fields when the form is rendered. But if you are simply sending a form as coded $this-Form as standard procedure, no edits or fields added why would it not act the same? The exact data is being sent as if it was submitted http. No? Just curious. Thanks, Dave -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.
Re: Security and Ajax
Because the keys are 'use once', so when submitted by ajax become invalid. See this page for a solution: http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html#SecurityComponent::$csrfUseOnce Jeremy Burns Class Outfit http://www.classoutfit.com On 8 Aug 2013, at 20:53, Advantage+ movepix...@gmail.com wrote: I know forms submitted via ajax that the security component does not work. (Checking for edits / tampering) What is the reason for this? I understand if you add fields dynamically why it would not work because of the hashed fields when the form is rendered. But if you are simply sending a form as coded $this-Form as standard procedure, no edits or fields added why would it not act the same? The exact data is being sent as if it was submitted http. No? Just curious. Thanks, Dave -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.
Re: Suggestion, maillist for security/updates
Hi, The sole reason I'm on this list is receiving security/update notifications. A seperate list would save me a lot of time deleting mail. Okkel Op 18-5-2013 16:16, localhost schreef: Thanks, I know about the RSS but I don't think most people will check RSS every day/hour, I'm just saying having a mailing list about security will be more effective for alerting people. Thanks On Saturday, May 18, 2013 4:19:21 PM UTC+3, euromark wrote: have you seen http://bakery.cakephp.org/ http://bakery.cakephp.org/ it also has a RSS feed that would keep you up to date Am Samstag, 18. Mai 2013 14:38:28 UTC+2 schrieb localhost: Hi this is just a suggestion, it will very nice if we can have a maillist/group about cakephp news related to new releases and any security issues. this way we don't have to subscribe by email to the normal cakephp and receive all posts. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Suggestion, maillist for security/updates
Hi this is just a suggestion, it will very nice if we can have a maillist/group about cakephp news related to new releases and any security issues. this way we don't have to subscribe by email to the normal cakephp and receive all posts. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Suggestion, maillist for security/updates
have you seen http://bakery.cakephp.org/ it also has a RSS feed that would keep you up to date Am Samstag, 18. Mai 2013 14:38:28 UTC+2 schrieb localhost: Hi this is just a suggestion, it will very nice if we can have a maillist/group about cakephp news related to new releases and any security issues. this way we don't have to subscribe by email to the normal cakephp and receive all posts. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Suggestion, maillist for security/updates
Thanks, I know about the RSS but I don't think most people will check RSS every day/hour, I'm just saying having a mailing list about security will be more effective for alerting people. Thanks On Saturday, May 18, 2013 4:19:21 PM UTC+3, euromark wrote: have you seen http://bakery.cakephp.org/ it also has a RSS feed that would keep you up to date Am Samstag, 18. Mai 2013 14:38:28 UTC+2 schrieb localhost: Hi this is just a suggestion, it will very nice if we can have a maillist/group about cakephp news related to new releases and any security issues. this way we don't have to subscribe by email to the normal cakephp and receive all posts. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Security Fix: Cakephp 2.3.5 released
CakePHP 2.3.5 has just been released to fix a critical issue with how the webroot property in CakeRequest is handled that could potentially lead to XSS attacks on certain pages. In the following days we will offer a full description of the vulnerability and how it can be exploited, after some reasonable time has passed for our users to upgrade. A huge thanks to Florian Krämer for conducting a full security audit on the CakePHP code and Carl Sutton for report and providing a candidate patch. In addition to the security fix 2.3.4 contains fixes for the following issues: - Increasing compatibility with old CentOS servers and the way they handle PHP regular expressions - Preventing pagiation limit from overflowing the max integer value - Making sure form ids generated in FormHelper::postLink() are actually unique - Fixed a bug in TextHelper auto link utility We recommend all users of 2.x release series upgrade as soon as possible to the new release. Links - Download a packaged release http://github.com/cakephp/cakephp/tags - View the changelogs http://cakephp.org/changelogs -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Security Release - CakePHP 1.2.12, 1.3.16, 2.2.8 and 2.3.4
is it available on cakephp download page? best regards -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Security Release - CakePHP 1.2.12, 1.3.16, 2.2.8 and 2.3.4
I set the default timezone in CacheEngine.php at Line 60 because i've got en error when i use netbeans cakephp plugin with strtotime -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Security Release - CakePHP 1.2.12, 1.3.16, 2.2.8 and 2.3.4
Can you tell what release this problem was introduced, I think it was 1.2RC2, right? On Sunday, April 28, 2013 4:37:05 PM UTC-4, mark_story wrote: If you are using CakePHP's PaginatorComponent without whitelisted sort fields you should upgrade as soon as possible to prevent possible SQL injections. CakePHP 1.2.12, 1.3.16, 2.2.8 and 2.3.4 have just been released to fix a critical issue with how pagination PaginatorComponent handle sort criteria. When paginating without a sort column whitelist it was possible to execute arbitrary SQL by manipulating the sort conditions. In the following days we will offer a full description of the vulnerability and how it can be exploited, after some reasonable time has passed for our users to upgrade. In addition to the security fix 2.3.4 contains fixes for the following issues: * Support for HTTP code 505 was added. * Router::currentRoute() returns false when there is no current route. * Writing to file cache after clearing a group now works as expected. * Asset URLS using fullBase are now generated correctly when not using URL re-writing. There are no additional fixes outside the security fix in 2.2.8. In addition to the security fix 1.3.16 contains fixes for the following issues: * Databases is now singularized correctly. * Saving translations with saveAll() now works better. * Oracle listSources() no longer reads from the global table namespace. * The cake console command now works on MacOS properly. * Mixing query[contain] and contain() now interact properly. In addition to the security fix 1.2.12 contains fixes for the following issues: * umask is now set when creating cache files. * Boundaries for multipart email messages are now generated correctly. * Compatibility with PHP 5.4 has been improved. We recommend all users of 1.2, 1.3, and 2.x release series upgrade as soon as possible to the new releases. Links -- * Download a packaged release http://github.com/cakephp/cakephp/tags * View the changelogs http://cakephp.org/changelogs -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
edit form needs to be submitted two times while using security component
Hi Friends, Can anyone help me out with this , i have a edit form with security component , it needs to be submitted two times i have checked in console , in form security component hidden token METHOD IN by default PUT , when i click submit first time it changes to post ,then second time when i click submit form gets submitted, please let me know how can i fix this ,its very strange to click submit two times... Thnaks, Vinod -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Security Release - CakePHP 1.2.12, 1.3.16, 2.2.8 and 2.3.4
If you are using CakePHP's PaginatorComponent without whitelisted sort fields you should upgrade as soon as possible to prevent possible SQL injections. CakePHP 1.2.12, 1.3.16, 2.2.8 and 2.3.4 have just been released to fix a critical issue with how pagination PaginatorComponent handle sort criteria. When paginating without a sort column whitelist it was possible to execute arbitrary SQL by manipulating the sort conditions. In the following days we will offer a full description of the vulnerability and how it can be exploited, after some reasonable time has passed for our users to upgrade. In addition to the security fix 2.3.4 contains fixes for the following issues: * Support for HTTP code 505 was added. * Router::currentRoute() returns false when there is no current route. * Writing to file cache after clearing a group now works as expected. * Asset URLS using fullBase are now generated correctly when not using URL re-writing. There are no additional fixes outside the security fix in 2.2.8. In addition to the security fix 1.3.16 contains fixes for the following issues: * Databases is now singularized correctly. * Saving translations with saveAll() now works better. * Oracle listSources() no longer reads from the global table namespace. * The cake console command now works on MacOS properly. * Mixing query[contain] and contain() now interact properly. In addition to the security fix 1.2.12 contains fixes for the following issues: * umask is now set when creating cache files. * Boundaries for multipart email messages are now generated correctly. * Compatibility with PHP 5.4 has been improved. We recommend all users of 1.2, 1.3, and 2.x release series upgrade as soon as possible to the new releases. Links -- * Download a packaged release http://github.com/cakephp/cakephp/tags * View the changelogs http://cakephp.org/changelogs -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Security fix: CakePHP 2.3.3 available
The CakePHP core team pushed a maintenance release for 2.3 branch earlier than planned for the 2.3 branch of the framework. We have found a severe security issue that affects all applications running CakePHP version 2.3.0 and above that are using user authentication via forms with the AuthComponent without the Security component form tampering prevention. If you have a login form and are using the AuthComponent without SecurityComponent field locking feature, you are strongly encouraged to upgrade to this version as soon as possible. In the following days we will offer a full description of the vulnerability and how it can be exploited, after some reasonable time has passed for our users to upgrade. A huge thanks to Magnus Andersson for the report and patch. CakePHP 2.3.3[1] is a bugfix release for the 2.3 release branch. Since the release of 2.3.2 there have been 31 commits and 8 tickets resolved. A short list of the changes you can expect is: - Fixed Vendor/bin/cake not working when installing CakePHP with composer. - Allowing behaviors' beforeSave callback to change the datasource to be used for the actual save. - Fixing bug in FormHelper where the incorrect meridian would be selected for time fields. - Solved issues with models not being added when $uses = true. - Fixed condition parsing in mysql specific cases. - Added support for key = value cookies in HttpSocket. - Preventing maxlength attribute input element of type number. - Fixed incorrect timestamp values when using CakeTime::fromString() Links - [1] http://cakephp.org/changelogs/2.3.3 - [2] http://github.com/cakephp/cakephp/tags -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Cakehp Security Command Injection vulnerability
Hi there, I hope anyone can share some knowledge about this: We are regularly building our web applications with cakephp and some of our clients demand a thorough security check before going live. Recently one of these checks reveled a high risk of Command Injection and the most vulnerable file being /lib/Cake/Utility/file.php. Other issues: - Stored Code Injection - XSRF (this can be contained with the Security component) - Information Leak Through Persistent Cookies Other vulnerable files mentioned cookiecomponent.php cakesocket.php consoleinput.php Since these are all cake core files I wonder if these are known issues and if anyone has some information on this. Thanx! -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Cakehp Security Command Injection vulnerability
Hi John, if you just had some security tool to check your app, then it is probably just a false positive warning. Otherwise, if you have a clue where there is a potential security issue, I would recommend you to file a detailed description (including the version) on how the affected code is vulnerable directly to some of the core devs, not over this mailing list. best regards Jan Am 11.04.2013 09:37, schrieb John Abat: Hi there, I hope anyone can share some knowledge about this: We are regularly building our web applications with cakephp and some of our clients demand a thorough security check before going live. Recently one of these checks reveled a high risk of Command Injection and the most vulnerable file being /lib/Cake/Utility/file.php. Other issues: * Stored Code Injection * XSRF (this can be contained with the Security component) * Information Leak Through Persistent Cookies Other vulnerable files mentioned # cookiecomponent.php # cakesocket.php # consoleinput.php Since these are all cake core files I wonder if these are known issues and if anyone has some information on this. Thanx! -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Cakehp Security Command Injection vulnerability
I recently had a CakePHP app I had built penetration tested (2.3). It failed 16 out of nearly 50,000 tests; 12 of those were server related. If you build to the conventions and use the Security component, you'll be OK. Jeremy Burns Class Outfit http://www.classoutfit.com On 11 Apr 2013, at 18:57:18, Jan Kohlhof k...@mathematik.uni-marburg.de wrote: Hi John, if you just had some security tool to check your app, then it is probably just a false positive warning. Otherwise, if you have a clue where there is a potential security issue, I would recommend you to file a detailed description (including the version) on how the affected code is vulnerable directly to some of the core devs, not over this mailing list. best regards Jan Am 11.04.2013 09:37, schrieb John Abat: Hi there, I hope anyone can share some knowledge about this: We are regularly building our web applications with cakephp and some of our clients demand a thorough security check before going live. Recently one of these checks reveled a high risk of Command Injection and the most vulnerable file being /lib/Cake/Utility/file.php. Other issues: * Stored Code Injection * XSRF (this can be contained with the Security component) * Information Leak Through Persistent Cookies Other vulnerable files mentioned # cookiecomponent.php # cakesocket.php # consoleinput.php Since these are all cake core files I wonder if these are known issues and if anyone has some information on this. Thanx! -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Cakehp Security Command Injection vulnerability
Something else to consider for the security conscious: If possible, don't have the lib directory, and Cake core code viewable via the web server. Ideally, the website root would be pointing to app/webroot, so direct access to some of those programs is not available. On Thursday, 11 April 2013 17:37:56 UTC+10, John Abat wrote: Hi there, I hope anyone can share some knowledge about this: We are regularly building our web applications with cakephp and some of our clients demand a thorough security check before going live. Recently one of these checks reveled a high risk of Command Injection and the most vulnerable file being /lib/Cake/Utility/file.php. Other issues: - Stored Code Injection - XSRF (this can be contained with the Security component) - Information Leak Through Persistent Cookies Other vulnerable files mentioned cookiecomponent.php cakesocket.php consoleinput.php Since these are all cake core files I wonder if these are known issues and if anyone has some information on this. Thanx! -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Web security
Dear friends, do you have problems with security of your web applications? I had problems with code injections them i discovered the Sucuri service, what do you think about? http://affl.sucuri.net/?affl=4820351442b1b642a1dac562e065ab7e[image: Sucuri Security] http://affl.sucuri.net/?affl=4820351442b1b642a1dac562e065ab7e -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Error in productive Mode (Debug = 0): Class Security not found
Hi Euromark, shame on me...ok. I've ordered the cakephp Book :) Thanks for your afford (and your patiencehttp://www.dict.cc/englisch-deutsch/patience.htmlwith me..). Best regards, Kai. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Security Question
On Wed, Mar 13, 2013 at 10:19 PM, Advantage+ movepix...@gmail.com wrote: When I logout of my site it redirects me to /login. If I then hit login (nothing entered in user / pass) I get black-holed. The requested address '/login' was not found on this server. Why is that? It should just show the errors Invalid User / Pass Or validation errors. Not black hole the whole thing. Is debug set to 0? If so, cake throws a 404 on error. There may be something wrong in your code. Set it to 2 and see if it displays an error msg. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Error in productive Mode (Debug = 0): Class Security not found
Hi! In my some views and one component i use a method from Security Class for encryption and decryption. On my dev-Server (debug 0) everything works fine. Today i try to deploy to the Liveserver and set debug to 0. But then i get the error: 2013-03-13 15:21:04 Error: Fatal Error (1): Class 'Security' not found in [/myRootpath/app/View/Campaigns/select.ctp, line 32] 2013-03-13 15:21:04 Error: [InternalErrorException] Internal Server Error Request URL: /Campaigns/select Stack Trace: #0 /myRootpath/lib/Cake/Error/ErrorHandler.php(183): ErrorHandler::handleFatalError(1, 'Class 'Security...', '/myRootpath/...', 32) #1 [internal function]: ErrorHandler::handleError(1, 'Class 'Security...', '/myRootpath/...', 32, Array) #2 /myRootpath/lib/Cake/Core/App.php(926): call_user_func('ErrorHandler::h...', 1, 'Class 'Security...', '/myRootpath/...', 32, Array) #3 /myRootpath/lib/Cake/Core/App.php(899): App::_checkFatalError() #4 [internal function]: App::shutdown() #5 {main} Also when the Component is used i get: 2013-03-13 15:34:42 Error: Fatal Error (1): Class 'Security' not found in [/myRootpath/app/Controller/Component/cbUtilsComponent.php, line 80] 2013-03-13 15:34:42 Error: [InternalErrorException] Internal Server Error Request URL: /Hashimports/add Stack Trace: #0 /myRootpath/lib/Cake/Error/ErrorHandler.php(183): ErrorHandler::handleFatalError(1, 'Class 'Security...', '/myRootpath/...', 80) #1 [internal function]: ErrorHandler::handleError(1, 'Class 'Security...', '/myRootpath/...', 80, Array) #2 /myRootpath/lib/Cake/Core/App.php(926): call_user_func('ErrorHandler::h...', 1, 'Class 'Security...', '/myRootpath/...', 80, Array) #3 /myRootpath/lib/Cake/Core/App.php(899): App::_checkFatalError() #4 [internal function]: App::shutdown() #5 {main} When i set debug 0 on Liveserver, everything works (but then i have the debugkit toolbar). I use cakephp 2.3.0 Best regards, Kai. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Error in productive Mode (Debug = 0): Class Security not found
Do not use classes in your files without properly App::uses() them at the top of your classes In your case App::uses('Security', 'Utility') right after the opening `?php` tag for all files where you use the core Security class. Am Mittwoch, 13. März 2013 15:39:22 UTC+1 schrieb kaiszy: Hi! In my some views and one component i use a method from Security Class for encryption and decryption. On my dev-Server (debug 0) everything works fine. Today i try to deploy to the Liveserver and set debug to 0. But then i get the error: 2013-03-13 15:21:04 Error: Fatal Error (1): Class 'Security' not found in [/myRootpath/app/View/Campaigns/select.ctp, line 32] 2013-03-13 15:21:04 Error: [InternalErrorException] Internal Server Error Request URL: /Campaigns/select Stack Trace: #0 /myRootpath/lib/Cake/Error/ErrorHandler.php(183): ErrorHandler::handleFatalError(1, 'Class 'Security...', '/myRootpath/...', 32) #1 [internal function]: ErrorHandler::handleError(1, 'Class 'Security...', '/myRootpath/...', 32, Array) #2 /myRootpath/lib/Cake/Core/App.php(926): call_user_func('ErrorHandler::h...', 1, 'Class 'Security...', '/myRootpath/...', 32, Array) #3 /myRootpath/lib/Cake/Core/App.php(899): App::_checkFatalError() #4 [internal function]: App::shutdown() #5 {main} Also when the Component is used i get: 2013-03-13 15:34:42 Error: Fatal Error (1): Class 'Security' not found in [/myRootpath/app/Controller/Component/cbUtilsComponent.php, line 80] 2013-03-13 15:34:42 Error: [InternalErrorException] Internal Server Error Request URL: /Hashimports/add Stack Trace: #0 /myRootpath/lib/Cake/Error/ErrorHandler.php(183): ErrorHandler::handleFatalError(1, 'Class 'Security...', '/myRootpath/...', 80) #1 [internal function]: ErrorHandler::handleError(1, 'Class 'Security...', '/myRootpath/...', 80, Array) #2 /myRootpath/lib/Cake/Core/App.php(926): call_user_func('ErrorHandler::h...', 1, 'Class 'Security...', '/myRootpath/...', 80, Array) #3 /myRootpath/lib/Cake/Core/App.php(899): App::_checkFatalError() #4 [internal function]: App::shutdown() #5 {main} When i set debug 0 on Liveserver, everything works (but then i have the debugkit toolbar). I use cakephp 2.3.0 Best regards, Kai. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Error in productive Mode (Debug = 0): Class Security not found
Hi Euromark, thanks for your answer. Do not use classes in your files without properly App::uses() them at the top of your classes As you mention i put the following line in my Component: App::uses('Component', 'Controller', Security, Utility); But also with this line in my component i get the Security Class not found error with debug 1. Its seems to be a problem with DebugKit. When i remove loading DebugKit in Bootstrap (remove CakePlugin::load('DebugKit'); ) i get the error in all debug modeshmmm Best regards, Kai. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Error in productive Mode (Debug = 0): Class Security not found
Hi Euromakr, ok..problem solved. Next time i let me more time to understand your email ;) When i use in my component: App::uses('Component', 'Controller','Security', 'Utility'); i get the error in debug mode 1 If i use App::uses('Security', 'Utility'); App::uses('Component', 'Controller'); it works in all debug mode. I cant understand why, but it works ;) Best regards, Kai. Am Mittwoch, 13. März 2013 16:09:22 UTC+1 schrieb euromark: Do not use classes in your files without properly App::uses() them at the top of your classes In your case App::uses('Security', 'Utility') right after the opening `?php` tag for all files where you use the core Security class. Am Mittwoch, 13. März 2013 15:39:22 UTC+1 schrieb kaiszy: Hi! In my some views and one component i use a method from Security Class for encryption and decryption. On my dev-Server (debug 0) everything works fine. Today i try to deploy to the Liveserver and set debug to 0. But then i get the error: 2013-03-13 15:21:04 Error: Fatal Error (1): Class 'Security' not found in [/myRootpath/app/View/Campaigns/select.ctp, line 32] 2013-03-13 15:21:04 Error: [InternalErrorException] Internal Server Error Request URL: /Campaigns/select Stack Trace: #0 /myRootpath/lib/Cake/Error/ErrorHandler.php(183): ErrorHandler::handleFatalError(1, 'Class 'Security...', '/myRootpath/...', 32) #1 [internal function]: ErrorHandler::handleError(1, 'Class 'Security...', '/myRootpath/...', 32, Array) #2 /myRootpath/lib/Cake/Core/App.php(926): call_user_func('ErrorHandler::h...', 1, 'Class 'Security...', '/myRootpath/...', 32, Array) #3 /myRootpath/lib/Cake/Core/App.php(899): App::_checkFatalError() #4 [internal function]: App::shutdown() #5 {main} Also when the Component is used i get: 2013-03-13 15:34:42 Error: Fatal Error (1): Class 'Security' not found in [/myRootpath/app/Controller/Component/cbUtilsComponent.php, line 80] 2013-03-13 15:34:42 Error: [InternalErrorException] Internal Server Error Request URL: /Hashimports/add Stack Trace: #0 /myRootpath/lib/Cake/Error/ErrorHandler.php(183): ErrorHandler::handleFatalError(1, 'Class 'Security...', '/myRootpath/...', 80) #1 [internal function]: ErrorHandler::handleError(1, 'Class 'Security...', '/myRootpath/...', 80, Array) #2 /myRootpath/lib/Cake/Core/App.php(926): call_user_func('ErrorHandler::h...', 1, 'Class 'Security...', '/myRootpath/...', 80, Array) #3 /myRootpath/lib/Cake/Core/App.php(899): App::_checkFatalError() #4 [internal function]: App::shutdown() #5 {main} When i set debug 0 on Liveserver, everything works (but then i have the debugkit toolbar). I use cakephp 2.3.0 Best regards, Kai. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Error in productive Mode (Debug = 0): Class Security not found
App::uses() is supposed to be used this way, it only takes two arguments. Please see the documentation on how to use it. Am Mittwoch, 13. März 2013 17:02:32 UTC+1 schrieb kaiszy: Hi Euromakr, ok..problem solved. Next time i let me more time to understand your email ;) When i use in my component: App::uses('Component', 'Controller','Security', 'Utility'); i get the error in debug mode 1 If i use App::uses('Security', 'Utility'); App::uses('Component', 'Controller'); it works in all debug mode. I cant understand why, but it works ;) Best regards, Kai. Am Mittwoch, 13. März 2013 16:09:22 UTC+1 schrieb euromark: Do not use classes in your files without properly App::uses() them at the top of your classes In your case App::uses('Security', 'Utility') right after the opening `?php` tag for all files where you use the core Security class. Am Mittwoch, 13. März 2013 15:39:22 UTC+1 schrieb kaiszy: Hi! In my some views and one component i use a method from Security Class for encryption and decryption. On my dev-Server (debug 0) everything works fine. Today i try to deploy to the Liveserver and set debug to 0. But then i get the error: 2013-03-13 15:21:04 Error: Fatal Error (1): Class 'Security' not found in [/myRootpath/app/View/Campaigns/select.ctp, line 32] 2013-03-13 15:21:04 Error: [InternalErrorException] Internal Server Error Request URL: /Campaigns/select Stack Trace: #0 /myRootpath/lib/Cake/Error/ErrorHandler.php(183): ErrorHandler::handleFatalError(1, 'Class 'Security...', '/myRootpath/...', 32) #1 [internal function]: ErrorHandler::handleError(1, 'Class 'Security...', '/myRootpath/...', 32, Array) #2 /myRootpath/lib/Cake/Core/App.php(926): call_user_func('ErrorHandler::h...', 1, 'Class 'Security...', '/myRootpath/...', 32, Array) #3 /myRootpath/lib/Cake/Core/App.php(899): App::_checkFatalError() #4 [internal function]: App::shutdown() #5 {main} Also when the Component is used i get: 2013-03-13 15:34:42 Error: Fatal Error (1): Class 'Security' not found in [/myRootpath/app/Controller/Component/cbUtilsComponent.php, line 80] 2013-03-13 15:34:42 Error: [InternalErrorException] Internal Server Error Request URL: /Hashimports/add Stack Trace: #0 /myRootpath/lib/Cake/Error/ErrorHandler.php(183): ErrorHandler::handleFatalError(1, 'Class 'Security...', '/myRootpath/...', 80) #1 [internal function]: ErrorHandler::handleError(1, 'Class 'Security...', '/myRootpath/...', 80, Array) #2 /myRootpath/lib/Cake/Core/App.php(926): call_user_func('ErrorHandler::h...', 1, 'Class 'Security...', '/myRootpath/...', 80, Array) #3 /myRootpath/lib/Cake/Core/App.php(899): App::_checkFatalError() #4 [internal function]: App::shutdown() #5 {main} When i set debug 0 on Liveserver, everything works (but then i have the debugkit toolbar). I use cakephp 2.3.0 Best regards, Kai. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Security Question
When I logout of my site it redirects me to /login. If I then hit login (nothing entered in user / pass) I get black-holed. The requested address '/login' was not found on this server. Why is that? It should just show the errors Invalid User / Pass Or validation errors. Not black hole the whole thing. Ideas? -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Pattern Matching for Security-unlockedFields
I have not tested this. ymmv function beforeFilter() { parent::beforeFilter(); // second test is optional if ($this-request-is('post') $this-action == 'whatever') { // only want the keys here $dynamic_fields = array_keys(preg_grep('/^Cat[0-9]+name$/', $this-request-data['YourModel'])); // array_merge will leave duplicates for arrays with numeric indices $this-Security-unlockedFields = array_unique( array_merge( $this-Security-unlockedFields, $dynamic_fields ) ); } } On Mon, Mar 4, 2013 at 7:48 PM, #2Will willjbar...@gmail.com wrote: I'm dynamicly adding fields for hasMany relation in my form, with JS. Thats obviously messing with the Security components form tampering detection - and blackholing the request U can get it to not blackhole by doing this in the beforeFilter: $this-Security-unlockedFields = array( 'Cat0name'); I guess i could add Cat1name, Cat2name, cat3name etc etc to the array. But it makes me feel sad. Is there a better way? Can I get it to pattern match somehow? Iv'e got in my head ideas like regex - is that at all possible? I must admit, i read the code for the _validatePost function that uses the unlockedFields setting, and I didn't really fully understand it. Thanks for any pointers Will -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Pattern Matching for Security-unlockedFields
I'm dynamicly adding fields for hasMany relation in my form, with JS. Thats obviously messing with the Security components form tampering detection - and blackholing the request U can get it to not blackhole by doing this in the beforeFilter: $this-Security-unlockedFields = array( 'Cat0name'); I guess i could add Cat1name, Cat2name, cat3name etc etc to the array. But it makes me feel sad. Is there a better way? Can I get it to pattern match somehow? Iv'e got in my head ideas like regex - is that at all possible? I must admit, i read the code for the _validatePost function that uses the unlockedFields setting, and I didn't really fully understand it. *Thanks for any pointers* * * *Will* -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Security Component can't be called in Controller
In any of the controller files if I call the Security component (not doing anything beyond that), certain pages of my website crash. Here's what I have currently for $components. The site works fine with this: var $components = array('Auth','Session','Email'); But when I add 'Security': var $components = array('Auth','Session','Email','Security'); When the above change happens some of the webpages that get POST data from others pages stop loading all together. Once removed, the site starts functioning normally. All I get is a blank screen. The \cake\libs\controller\components directory clearly shows a security.php file. Any ideas on what's causing this? -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
RE: cakephp and security
From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf Of Dee Johnson Sent: Tuesday, October 18, 2011 7:27 PM To: cake-php@googlegroups.com Subject: cakephp and security Hi all, I scanned a cake project with a security program called fortify and it came back with 181 errors associated with using the extract function in the core. Explanation below: Possible Variable Overwrite: Global Scope (Input Validation and Representation, Structural) The program invokes a function that can overwrite global variables, which can open the door for attackers. example is line 870 of configure.php function import($type = null, $name = null, $parent = true, $search = array(), $file = null, $return = false) { $plugin = $directory = null; if (is_array($type)) { extract($type, EXTR_OVERWRITE); } if (is_array($parent)) { extract($parent, EXTR_OVERWRITE); } The application suggests that in all instances where extract is used, to use the argument 'EXTR_SKIP'. Since this would be in place of EXTR_OVERWRITE I was wondering if this would cause any issues considering this is the core and all... ??? Thoughts? Full explanation below source - Recommendations: Prevent functions that can overwrite global variables from doing so in the following ways: - Invoke mb_parse_str(string $encoded_string [, array $result ]) with the second argument, which captures the result of the operation and prevents the function from overwriting global variables. - Invoke extract(array $var_array [, int $extract_type [, string $prefix]]) with the second argument set to EXTR_SKIP, which prevents the function from overwriting global variables that are already defined. Example 2: The following code uses a second argument to mb_parse_str() to mitigate the vulnerability from Example 1. ?php $first=User; ... $str = $_SERVER['QUERY_STRING']; mb_parse_str($str, $output); echo $first; ? References: [1] CWE ID 473, Standards Mapping - Common Weakness Enumeration - (CWE) -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en.
Security component and data posted from external site
I'm using 2.3 beta and the Security component. I have a site that is posting data to a controller action but the Security component blocks the request; so I don't get $this-request-data and the code fails. If I disable the Security component in beforeFilter for this action the data gets through OK. The next screen the user sees is a log in screen, but as the Security component was disabled when it was created it doesn't contain the _tokens so the subsequent log in fails ($this-request-is('post') returns false). I have tried $this-Security-unlockedActions = array('action_name'); but that seems to have no effect (it's as if Security component is still active). Anyone got any clues or advice please? -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en.
Re: Security component and data posted from external site
My solution is to receive the post via one action then redirect to the log in action. Security::unlockedActions doesn't seem to work though (I must be doing it wrong?); I have to check for the initial action and disable the Security component. After the redirect the action is different, so the component is enabled again. Whilst it's working this doesn't feel like I'm getting it right so would welcome any tips or guidance. Jeremy Burns Class Outfit http://www.classoutfit.com On 7 Dec 2012, at 15:14:16, Jeremy Burns jeremybu...@classoutfit.com wrote: I'm using 2.3 beta and the Security component. I have a site that is posting data to a controller action but the Security component blocks the request; so I don't get $this-request-data and the code fails. If I disable the Security component in beforeFilter for this action the data gets through OK. The next screen the user sees is a log in screen, but as the Security component was disabled when it was created it doesn't contain the _tokens so the subsequent log in fails ($this-request-is('post') returns false). I have tried $this-Security-unlockedActions = array('action_name'); but that seems to have no effect (it's as if Security component is still active). Anyone got any clues or advice please? -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en.
Re: Problems with ajax and security component.
I am struggling with the exact same problem.. If anyone have a suggestion??? see: http://stackoverflow.com/questions/11869336/cakephp-2-1-making-a-jquery-ajax-call-with-security-component-activated -Tom kl. 21:41:18 UTC+1 torsdag 8. desember 2011 skrev porangi.chris følgende: Hi, I'm having issues with running Ajax and the security component alongside each other. Security works fine on the other forms. Ajax works fine if Security is commented out. Security is included in the App Controller alongside other components 'Security' = array( 'csrfExpires' = '+2 hour' ) and I've added the line into AppController:BeforeFilter. $this-Security-blackHoleCallback = '_fail'; I've tried this in the beforeFilter function of the controller but not work: if(isset($this-Security) $this-action == 'tracker') { $this-Security-csrfCheck = false; } basically I have a ajax query which fails: function update_log() { //This is our ajax call. jQuery.ajax({ type: 'POST', url: ?php echo Configure::read('Link.site'); ?/logs/ tracker, data : {lat: latitude, lon:longitude, resource:resource}, dataType : 'json', success: function(data) { jQuery('input#logid').val(data.log); } }); //End Visitor Code I tried to construct a hidden form which I serialised and sent which had the tokens but this failed too. Please help - this needs to go live :( Thanks Chris -- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
What security issues do I have to worry about when it comes to CakePHP?
I know CakePHP does a lot of stuff for you, but if I setup a CakePHP installation and create a CRUD app, is that it, or do I have to do anything else to make sure the platform is secure? -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: What security issues do I have to worry about when it comes to CakePHP?
using the security component is an absolute requirement for beginners. especially due to missing whitelisting in default templates. besides that you pretty much only need to make sure you don't output unescaped output - using h($var) that should take care of most of the basic problems Am Montag, 23. Juli 2012 20:04:22 UTC+2 schrieb Shahruk Khan: I know CakePHP does a lot of stuff for you, but if I setup a CakePHP installation and create a CRUD app, is that it, or do I have to do anything else to make sure the platform is secure? -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security Release - CakePHP 2.1.5 2.2.1
Thank you. Could you update the links on the website? They all point to 2.2.0. On Saturday, July 14, 2012 11:37:33 PM UTC+2, mark_story wrote: CakePHP 2.1.5 and 2.2.1 have just been released. If you are using CakePHP's `Xml` class, you should upgrade as soon as possible. The security issue was recently reported by Paweł Wyleciał. When accepting user provided XML it is possible to read arbitrary files using external entities. This is particularily dangerous for applications accepting XML data as part of a webservice. A possible exploit example would be: curl -X POST -H 'Content-Type: application/xml' http://locahost/posts-d '!DOCTYPE cakephp [ !ENTITY payload SYSTEM file:///etc/passwd ] Post bodypayload;/body /Post]' Once the XML has been processed `$this-request-data['Post']['body']` will contain the contents of `/etc/passwd`. This issue was [fixed]( http://github.com/cakephp/cakephp/commit/6c905411bac66caad5e220a70e3d561b8a648507) and packaged releases for 2.1 and 2.2 have been created. This issue does not affect the 1.3 or 1.2 release series. If you are unable to upgrade, you should apply the [patch]( http://github.com/cakephp/cakephp/commit/6c905411bac66caad5e220a70e3d561b8a648507) as soon as possible. ### Other fixes in 2.2.1 In addition to the security fix 2.2.1 contains fixes for the following issues: * Fixed missing urlencode on nested named parameters. * Fixed ANSI codes being output on windows terminals. * Fixed HtmlHelper::image() including the base directory twice when the fullBase option is used. * Console logging now respects the quiet flag for shells. * TranslateBehavior now saves records with only some translated fields correctly. * afterValidate() was made available on behaviors. This was an omission in 2.2.0. View the complete changelog for 2.2.1 and 2.1.5. Download a packaged release. CakeFest 2012 is around the corner and we already expect awesome talks and workshops during the best PHP conference out there. If you haven't booked [your tickets](http://cakefest.org/ticket-info) yet, it's about time you do. As always, thanks to the friendly CakePHP community for the patches, documentation changes and new tickets. Without you there would be no CakePHP! **Links** [1] http://cakephp.org/changelogs/2.2.1 [2] http://cakephp.org/changelogs/2.1.5 [3] http://github.com/cakephp/cakephp/tags [4] http://cakefest.org -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security Release - CakePHP 2.1.5 2.2.1
Its done now, sorry about that :) -Mark On Sunday, 15 July 2012 02:09:25 UTC-4, Albert 'Tigr' wrote: Thank you. Could you update the links on the website? They all point to 2.2.0. On Saturday, July 14, 2012 11:37:33 PM UTC+2, mark_story wrote: CakePHP 2.1.5 and 2.2.1 have just been released. If you are using CakePHP's `Xml` class, you should upgrade as soon as possible. The security issue was recently reported by Paweł Wyleciał. When accepting user provided XML it is possible to read arbitrary files using external entities. This is particularily dangerous for applications accepting XML data as part of a webservice. A possible exploit example would be: curl -X POST -H 'Content-Type: application/xml' http://locahost/posts-d '!DOCTYPE cakephp [ !ENTITY payload SYSTEM file:///etc/passwd ] Post bodypayload;/body /Post]' Once the XML has been processed `$this-request-data['Post']['body']` will contain the contents of `/etc/passwd`. This issue was [fixed]( http://github.com/cakephp/cakephp/commit/6c905411bac66caad5e220a70e3d561b8a648507) and packaged releases for 2.1 and 2.2 have been created. This issue does not affect the 1.3 or 1.2 release series. If you are unable to upgrade, you should apply the [patch]( http://github.com/cakephp/cakephp/commit/6c905411bac66caad5e220a70e3d561b8a648507) as soon as possible. ### Other fixes in 2.2.1 In addition to the security fix 2.2.1 contains fixes for the following issues: * Fixed missing urlencode on nested named parameters. * Fixed ANSI codes being output on windows terminals. * Fixed HtmlHelper::image() including the base directory twice when the fullBase option is used. * Console logging now respects the quiet flag for shells. * TranslateBehavior now saves records with only some translated fields correctly. * afterValidate() was made available on behaviors. This was an omission in 2.2.0. View the complete changelog for 2.2.1 and 2.1.5. Download a packaged release. CakeFest 2012 is around the corner and we already expect awesome talks and workshops during the best PHP conference out there. If you haven't booked [your tickets](http://cakefest.org/ticket-info) yet, it's about time you do. As always, thanks to the friendly CakePHP community for the patches, documentation changes and new tickets. Without you there would be no CakePHP! **Links** [1] http://cakephp.org/changelogs/2.2.1 [2] http://cakephp.org/changelogs/2.1.5 [3] http://github.com/cakephp/cakephp/tags [4] http://cakefest.org -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Security Release - CakePHP 2.1.5 2.2.1
CakePHP 2.1.5 and 2.2.1 have just been released. If you are using CakePHP's `Xml` class, you should upgrade as soon as possible. The security issue was recently reported by Paweł Wyleciał. When accepting user provided XML it is possible to read arbitrary files using external entities. This is particularily dangerous for applications accepting XML data as part of a webservice. A possible exploit example would be: curl -X POST -H 'Content-Type: application/xml' http://locahost/posts -d '!DOCTYPE cakephp [ !ENTITY payload SYSTEM file:///etc/passwd ] Post bodypayload;/body /Post]' Once the XML has been processed `$this-request-data['Post']['body']` will contain the contents of `/etc/passwd`. This issue was [fixed](http://github.com/cakephp/cakephp/commit/6c905411bac66caad5e220a70e3d561b8a648507) and packaged releases for 2.1 and 2.2 have been created. This issue does not affect the 1.3 or 1.2 release series. If you are unable to upgrade, you should apply the [patch](http://github.com/cakephp/cakephp/commit/6c905411bac66caad5e220a70e3d561b8a648507) as soon as possible. ### Other fixes in 2.2.1 In addition to the security fix 2.2.1 contains fixes for the following issues: * Fixed missing urlencode on nested named parameters. * Fixed ANSI codes being output on windows terminals. * Fixed HtmlHelper::image() including the base directory twice when the fullBase option is used. * Console logging now respects the quiet flag for shells. * TranslateBehavior now saves records with only some translated fields correctly. * afterValidate() was made available on behaviors. This was an omission in 2.2.0. View the complete changelog for 2.2.1 and 2.1.5. Download a packaged release. CakeFest 2012 is around the corner and we already expect awesome talks and workshops during the best PHP conference out there. If you haven't booked [your tickets](http://cakefest.org/ticket-info) yet, it's about time you do. As always, thanks to the friendly CakePHP community for the patches, documentation changes and new tickets. Without you there would be no CakePHP! **Links** [1] http://cakephp.org/changelogs/2.2.1 [2] http://cakephp.org/changelogs/2.1.5 [3] http://github.com/cakephp/cakephp/tags [4] http://cakefest.org -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security::cipher() and mysqldump
I was never able to convert the encoding of my ciphered data back to its original form. I was able to find a random backup I didn't realize I had and used that to restore the corrupted fields. Just wanted to report back for anyone following this thread. On Wednesday, April 11, 2012 7:03:11 PM UTC-7, cricket wrote: To get the char encoding: file -bi dumpfilename To convert it to UTF-8: iconv -f [encoding from above] -t utf8 dumpfilename dumpfile_utf8.sql -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
CakePHP 2.1 Basic Auth and Security. All requests are blackholed
I'm developing a App that ONLY uses Basic Auth as authentication I want to specify some methods that requires authentication So I have something like: $this-Auth-authenticate = array(Basic); $this-Auth-allow(info, check) $this-Security-requireAuth(check); when ever I call the check function using HTTP Basic Username/Password I always get black holed and it seems like line 387 in SecurityComponent is to blaim: if (!isset($controller-request-data['_Token'] )) { if (!$this-blackHole($controller, 'auth')) { return null; } } what am I doing wrong here? -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security::cipher() and mysqldump
On Tuesday, 10 April 2012 22:17:46 UTC+2, etipaced wrote: If these were only passwords... :-/ You can fix this with either mysql alone, or a shell. Either way though you're going to need to go through some trial and error and if you get stuck know that a mysql forum/irc channel will give you more chances of finding help. *Mysql alone* * * The dump file you've got is going to have charset statements in it that don't (by the sounds of it) match the charset of the dump file itself - so remove them: CREATE TABLE `foos` ( .. PRIMARY KEY (`id`) ) ENGINE=InnoDB **DEFAULT CHARSET=utf8** import the dump file specifying the charset you think the file is: $ mysql --default-charset=latin1 wrongcharsetdb dumpfile.sql if you can query the db (directly with mysql on the cli) and see the right values, you're half way there. It's been a while since I managed to put myself in the position your in but then, in principle: $ mysqldump --default-character-set=wrongcharset mydb dumpfile.sql $ mysql --default-character-set=utf8 mydb dumpfile.sql simply because you'll likely do these steps several times - it's easier if you use 2 dbs so that you don't need to keep re-importing your wrong db when it's in the right state. *Using a shell* Here's a shell I wrote a long time ago to correct charset problems: https://github.com/AD7six/mi_development/blob/04dd588ce9944a67985c1fd206a7dd202f853e3b/vendors/shells/fix_charset.php Which proved at the time to be quite handy but slow. And here's the commit where I deleted it because it didn't do anything you couldn't do with mysqldump alone: https://github.com/AD7six/mi_development/commit/086f18e57949c87470c8f755218d8d50f28a5d53 hth, AD -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security::cipher() and mysqldump
Much obliged, AD ;-) I'm traveling the next 2 days on business and won't be able to put the proper time into troubleshooting this until I return. I'll post my results here for thread completeness. Thank you all. On Wednesday, April 11, 2012 2:04:13 AM UTC-7, AD7six wrote: On Tuesday, 10 April 2012 22:17:46 UTC+2, etipaced wrote: If these were only passwords... :-/ You can fix this with either mysql alone, or a shell. Either way though you're going to need to go through some trial and error and if you get stuck know that a mysql forum/irc channel will give you more chances of finding help. *Mysql alone* * * The dump file you've got is going to have charset statements in it that don't (by the sounds of it) match the charset of the dump file itself - so remove them: CREATE TABLE `foos` ( .. PRIMARY KEY (`id`) ) ENGINE=InnoDB **DEFAULT CHARSET=utf8** import the dump file specifying the charset you think the file is: $ mysql --default-charset=latin1 wrongcharsetdb dumpfile.sql if you can query the db (directly with mysql on the cli) and see the right values, you're half way there. It's been a while since I managed to put myself in the position your in but then, in principle: $ mysqldump --default-character-set=wrongcharset mydb dumpfile.sql $ mysql --default-character-set=utf8 mydb dumpfile.sql simply because you'll likely do these steps several times - it's easier if you use 2 dbs so that you don't need to keep re-importing your wrong db when it's in the right state. *Using a shell* Here's a shell I wrote a long time ago to correct charset problems: https://github.com/AD7six/mi_development/blob/04dd588ce9944a67985c1fd206a7dd202f853e3b/vendors/shells/fix_charset.php Which proved at the time to be quite handy but slow. And here's the commit where I deleted it because it didn't do anything you couldn't do with mysqldump alone: https://github.com/AD7six/mi_development/commit/086f18e57949c87470c8f755218d8d50f28a5d53 hth, AD -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security::cipher() and mysqldump
To get the char encoding: file -bi dumpfilename To convert it to UTF-8: iconv -f [encoding from above] -t utf8 dumpfilename dumpfile_utf8.sql -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security::cipher() and mysqldump
On Mon, Apr 9, 2012 at 1:24 PM, etipaced kevindecap...@gmail.com wrote: I know there have been discussions surrounding the issue of suhosin with Cake's Security::cipher() method. I am in the process of discontinuing usage of Cake's ciphering functionality due to this issue. However, I do have existing data that has been ciphered already. My problem is that the data has been exported (via mysqldump) and then imported back into the same database (on the exact same server). What I didn't notice until after the fact, is that the ciphered data now looks different than it originally did. As a result, it's essentially corrupted. Is there anything I can do as I no longer have the originally created ciphered data, but only mysqldumps of it. I suspect it's just a character encoding issue. If your DB is UTF-8 open the dump file and add at the top: SET NAMES utf8; Then re-import and see if that helps. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security::cipher() and mysqldump
Thanks for the help. Unfortunately, it didn't work. My database, table and fields are all UTF-8. The ciphered values import from the dump file into the table correctly. The problem is that I believe they are incorrect in the dump file itself. Meaning, mysqldump did not export them properly and somehow changed the encoding. I don't know if I can do anything to convert the odd ciphers back to what they should look like. Here's an example of a good cipher. It's a value that was created on the server and stored directly into the database table. In other words, it has not been exported/imported: Ôd§5ð£ïäì Here's an example of a bad cipher from my backup file (generated by mysqldump): Ó`ª5ñ¦ïìõM As you can see, the format and pattern are totally different. I'm unable to decipher the second example which means a loss of 450+ field values. On Monday, April 9, 2012 10:24:50 AM UTC-7, etipaced wrote: I know there have been discussions surrounding the issue of suhosin with Cake's Security::cipher() method. I am in the process of discontinuing usage of Cake's ciphering functionality due to this issue. However, I do have existing data that has been ciphered already. My problem is that the data has been exported (via mysqldump) and then imported back into the same database (on the exact same server). What I didn't notice until after the fact, is that the ciphered data now looks different than it originally did. As a result, it's essentially corrupted. Is there anything I can do as I no longer have the originally created ciphered data, but only mysqldumps of it. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security::cipher() and mysqldump
Are you using the same Security.cipherSeed and Security.salt? -- ***Thiago Belem* Desenvolvedor Rio de Janeiro - RJ - Brasil thiagobelem.net cont...@thiagobelem.net *Skype / gTalk **»* thiago.belem.web *LinkedIn* *»* br.linkedin.com/in/thiagobelem/pt* Assando Sites*, curso de CakePHP *»* assando-sites.com.br On Tue, Apr 10, 2012 at 15:42, etipaced kevindecap...@gmail.com wrote: Thanks for the help. Unfortunately, it didn't work. My database, table and fields are all UTF-8. The ciphered values import from the dump file into the table correctly. The problem is that I believe they are incorrect in the dump file itself. Meaning, mysqldump did not export them properly and somehow changed the encoding. I don't know if I can do anything to convert the odd ciphers back to what they should look like. Here's an example of a good cipher. It's a value that was created on the server and stored directly into the database table. In other words, it has not been exported/imported: Ôd§5ð£ïäì Here's an example of a bad cipher from my backup file (generated by mysqldump): Ó`ª5ñ¦ïìõM As you can see, the format and pattern are totally different. I'm unable to decipher the second example which means a loss of 450+ field values. On Monday, April 9, 2012 10:24:50 AM UTC-7, etipaced wrote: I know there have been discussions surrounding the issue of suhosin with Cake's Security::cipher() method. I am in the process of discontinuing usage of Cake's ciphering functionality due to this issue. However, I do have existing data that has been ciphered already. My problem is that the data has been exported (via mysqldump) and then imported back into the same database (on the exact same server). What I didn't notice until after the fact, is that the ciphered data now looks different than it originally did. As a result, it's essentially corrupted. Is there anything I can do as I no longer have the originally created ciphered data, but only mysqldumps of it. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security::cipher() and mysqldump
Note that one string is double the length of the other. Ôd§5ð£ïäì vs Ó`ª5ñ¦ïìõM And UTF-8 typically takes 16 bits and ascii 8.. Just a hunch but I'd bet you should be able to make a PHP function to convert them back. b On Tue, 2012-04-10 at 15:52 -0300, Thiago Belem wrote: Are you using the same Security.cipherSeed and Security.salt? -- Thiago Belem Desenvolvedor Rio de Janeiro - RJ - Brasil thiagobelem.net cont...@thiagobelem.net Skype / gTalk » thiago.belem.web LinkedIn » br.linkedin.com/in/thiagobelem/pt Assando Sites, curso de CakePHP » assando-sites.com.br On Tue, Apr 10, 2012 at 15:42, etipaced kevindecap...@gmail.com wrote: Thanks for the help. Unfortunately, it didn't work. My database, table and fields are all UTF-8. The ciphered values import from the dump file into the table correctly. The problem is that I believe they are incorrect in the dump file itself. Meaning, mysqldump did not export them properly and somehow changed the encoding. I don't know if I can do anything to convert the odd ciphers back to what they should look like. Here's an example of a good cipher. It's a value that was created on the server and stored directly into the database table. In other words, it has not been exported/imported: Ôd§5ð£ïäì Here's an example of a bad cipher from my backup file (generated by mysqldump): Ó`ª5ñ¦ïìõM As you can see, the format and pattern are totally different. I'm unable to decipher the second example which means a loss of 450+ field values. On Monday, April 9, 2012 10:24:50 AM UTC-7, etipaced wrote: I know there have been discussions surrounding the issue of suhosin with Cake's Security::cipher() method. I am in the process of discontinuing usage of Cake's ciphering functionality due to this issue. However, I do have existing data that has been ciphered already. My problem is that the data has been exported (via mysqldump) and then imported back into the same database (on the exact same server). What I didn't notice until after the fact, is that the ciphered data now looks different than it originally did. As a result, it's essentially corrupted. Is there anything I can do as I no longer have the originally created ciphered data, but only mysqldumps of it. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security::cipher() and mysqldump
Yes. Same code in all cases. Also, take note that the dump/export file was created by the production server that originally ciphered the value and stored it in the db. So I'm not sure that those values play into my current scenario. On Tuesday, April 10, 2012 11:52:10 AM UTC-7, Thiago Belem wrote: Are you using the same Security.cipherSeed and Security.salt? -- ***Thiago Belem* Desenvolvedor Rio de Janeiro - RJ - Brasil thiagobelem.net cont...@thiagobelem.net *Skype / gTalk **»* thiago.belem.web *LinkedIn* *»* br.linkedin.com/in/thiagobelem/pt* Assando Sites*, curso de CakePHP *»* assando-sites.com.br On Tue, Apr 10, 2012 at 15:42, etipaced kevindecap...@gmail.com wrote: Thanks for the help. Unfortunately, it didn't work. My database, table and fields are all UTF-8. The ciphered values import from the dump file into the table correctly. The problem is that I believe they are incorrect in the dump file itself. Meaning, mysqldump did not export them properly and somehow changed the encoding. I don't know if I can do anything to convert the odd ciphers back to what they should look like. Here's an example of a good cipher. It's a value that was created on the server and stored directly into the database table. In other words, it has not been exported/imported: Ôd§5ð£ïäì Here's an example of a bad cipher from my backup file (generated by mysqldump): Ó`ª5ñ¦ïìõM As you can see, the format and pattern are totally different. I'm unable to decipher the second example which means a loss of 450+ field values. On Monday, April 9, 2012 10:24:50 AM UTC-7, etipaced wrote: I know there have been discussions surrounding the issue of suhosin with Cake's Security::cipher() method. I am in the process of discontinuing usage of Cake's ciphering functionality due to this issue. However, I do have existing data that has been ciphered already. My problem is that the data has been exported (via mysqldump) and then imported back into the same database (on the exact same server). What I didn't notice until after the fact, is that the ciphered data now looks different than it originally did. As a result, it's essentially corrupted. Is there anything I can do as I no longer have the originally created ciphered data, but only mysqldumps of it. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security::cipher() and mysqldump
Maybe you should just orient your users to reset their passwords? -- ***Thiago Belem* Desenvolvedor Rio de Janeiro - RJ - Brasil *Assando Sites* - Curso online de *CakePHP* assando-sites.com.br http://goo.gl/b1EEd thiagobelem.net cont...@thiagobelem.net *Skype / gTalk **»* thiago.belem.web *LinkedIn* *»* br.linkedin.com/in/thiagobelem/pt On Tue, Apr 10, 2012 at 17:11, etipaced kevindecap...@gmail.com wrote: Yes. Same code in all cases. Also, take note that the dump/export file was created by the production server that originally ciphered the value and stored it in the db. So I'm not sure that those values play into my current scenario. On Tuesday, April 10, 2012 11:52:10 AM UTC-7, Thiago Belem wrote: Are you using the same Security.cipherSeed and Security.salt? -- ***Thiago Belem* Desenvolvedor Rio de Janeiro - RJ - Brasil thiagobelem.net cont...@thiagobelem.net *Skype / gTalk **»* thiago.belem.web *LinkedIn* *»* br.linkedin.com/in/**thiagobelem/pthttp://br.linkedin.com/in/thiagobelem/pt * Assando Sites*, curso de CakePHP *»* assando-sites.com.br On Tue, Apr 10, 2012 at 15:42, etipaced kevindecap...@gmail.com wrote: Thanks for the help. Unfortunately, it didn't work. My database, table and fields are all UTF-8. The ciphered values import from the dump file into the table correctly. The problem is that I believe they are incorrect in the dump file itself. Meaning, mysqldump did not export them properly and somehow changed the encoding. I don't know if I can do anything to convert the odd ciphers back to what they should look like. Here's an example of a good cipher. It's a value that was created on the server and stored directly into the database table. In other words, it has not been exported/imported: Ôd§5ð£ïäì Here's an example of a bad cipher from my backup file (generated by mysqldump): Ó`ª5ñ¦ïìõM As you can see, the format and pattern are totally different. I'm unable to decipher the second example which means a loss of 450+ field values. On Monday, April 9, 2012 10:24:50 AM UTC-7, etipaced wrote: I know there have been discussions surrounding the issue of suhosin with Cake's Security::cipher() method. I am in the process of discontinuing usage of Cake's ciphering functionality due to this issue. However, I do have existing data that has been ciphered already. My problem is that the data has been exported (via mysqldump) and then imported back into the same database (on the exact same server). What I didn't notice until after the fact, is that the ciphered data now looks different than it originally did. As a result, it's essentially corrupted. Is there anything I can do as I no longer have the originally created ciphered data, but only mysqldumps of it. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscribe@**googlegroups.comcake-php%2bunsubscr...@googlegroups.comFor more options, visit this group at http://groups.google.com/**group/cake-phphttp://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security::cipher() and mysqldump
If these were only passwords... :-/ On Tuesday, April 10, 2012 1:13:49 PM UTC-7, Thiago Belem wrote: Maybe you should just orient your users to reset their passwords? -- ***Thiago Belem* Desenvolvedor Rio de Janeiro - RJ - Brasil *Assando Sites* - Curso online de *CakePHP* assando-sites.com.br http://goo.gl/b1EEd thiagobelem.net cont...@thiagobelem.net *Skype / gTalk **»* thiago.belem.web *LinkedIn* *»* br.linkedin.com/in/thiagobelem/pt On Tue, Apr 10, 2012 at 17:11, etipaced kevindecap...@gmail.com wrote: Yes. Same code in all cases. Also, take note that the dump/export file was created by the production server that originally ciphered the value and stored it in the db. So I'm not sure that those values play into my current scenario. On Tuesday, April 10, 2012 11:52:10 AM UTC-7, Thiago Belem wrote: Are you using the same Security.cipherSeed and Security.salt? -- ***Thiago Belem* Desenvolvedor Rio de Janeiro - RJ - Brasil thiagobelem.net cont...@thiagobelem.net *Skype / gTalk **»* thiago.belem.web *LinkedIn* *»* br.linkedin.com/in/**thiagobelem/pthttp://br.linkedin.com/in/thiagobelem/pt * Assando Sites*, curso de CakePHP *»* assando-sites.com.br On Tue, Apr 10, 2012 at 15:42, etipaced kevindecap...@gmail.com wrote: Thanks for the help. Unfortunately, it didn't work. My database, table and fields are all UTF-8. The ciphered values import from the dump file into the table correctly. The problem is that I believe they are incorrect in the dump file itself. Meaning, mysqldump did not export them properly and somehow changed the encoding. I don't know if I can do anything to convert the odd ciphers back to what they should look like. Here's an example of a good cipher. It's a value that was created on the server and stored directly into the database table. In other words, it has not been exported/imported: Ôd§5ð£ïäì Here's an example of a bad cipher from my backup file (generated by mysqldump): Ó`ª5ñ¦ïìõM As you can see, the format and pattern are totally different. I'm unable to decipher the second example which means a loss of 450+ field values. On Monday, April 9, 2012 10:24:50 AM UTC-7, etipaced wrote: I know there have been discussions surrounding the issue of suhosin with Cake's Security::cipher() method. I am in the process of discontinuing usage of Cake's ciphering functionality due to this issue. However, I do have existing data that has been ciphered already. My problem is that the data has been exported (via mysqldump) and then imported back into the same database (on the exact same server). What I didn't notice until after the fact, is that the ciphered data now looks different than it originally did. As a result, it's essentially corrupted. Is there anything I can do as I no longer have the originally created ciphered data, but only mysqldumps of it. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscribe@**googlegroups.comcake-php%2bunsubscr...@googlegroups.comFor more options, visit this group at http://groups.google.com/**group/cake-phphttp://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security::cipher() and mysqldump
I see. How would I go about doing that? I'm reading that ASCII is UTF-8 already. Running utf8_encode() didn't produce any usable results. I'm just very in the dark when it comes to encoding issues. On Tuesday, April 10, 2012 11:58:44 AM UTC-7, bobzibub wrote: Note that one string is double the length of the other. Ôd§5ð£ïäì vs Ó`ª5ñ¦ïìõM And UTF-8 typically takes 16 bits and ascii 8.. Just a hunch but I'd bet you should be able to make a PHP function to convert them back. b On Tue, 2012-04-10 at 15:52 -0300, Thiago Belem wrote: Are you using the same Security.cipherSeed and Security.salt? -- Thiago Belem Desenvolvedor Rio de Janeiro - RJ - Brasil thiagobelem.net cont...@thiagobelem.net Skype / gTalk » thiago.belem.web LinkedIn » br.linkedin.com/in/thiagobelem/pt Assando Sites, curso de CakePHP » assando-sites.com.br On Tue, Apr 10, 2012 at 15:42, etipaced kevindecap...@gmail.com wrote: Thanks for the help. Unfortunately, it didn't work. My database, table and fields are all UTF-8. The ciphered values import from the dump file into the table correctly. The problem is that I believe they are incorrect in the dump file itself. Meaning, mysqldump did not export them properly and somehow changed the encoding. I don't know if I can do anything to convert the odd ciphers back to what they should look like. Here's an example of a good cipher. It's a value that was created on the server and stored directly into the database table. In other words, it has not been exported/imported: Ôd§5ð£ïäì Here's an example of a bad cipher from my backup file (generated by mysqldump): Ó`ª5ñ¦ïìõM As you can see, the format and pattern are totally different. I'm unable to decipher the second example which means a loss of 450+ field values. On Monday, April 9, 2012 10:24:50 AM UTC-7, etipaced wrote: I know there have been discussions surrounding the issue of suhosin with Cake's Security::cipher() method. I am in the process of discontinuing usage of Cake's ciphering functionality due to this issue. However, I do have existing data that has been ciphered already. My problem is that the data has been exported (via mysqldump) and then imported back into the same database (on the exact same server). What I didn't notice until after the fact, is that the ciphered data now looks different than it originally did. As a result, it's essentially corrupted. Is there anything I can do as I no longer have the originally created ciphered data, but only mysqldumps of it. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Security::cipher() and mysqldump
I know there have been discussions surrounding the issue of suhosin with Cake's Security::cipher() method. I am in the process of discontinuing usage of Cake's ciphering functionality due to this issue. However, I do have existing data that has been ciphered already. My problem is that the data has been exported (via mysqldump) and then imported back into the same database (on the exact same server). What I didn't notice until after the fact, is that the ciphered data now looks different than it originally did. As a result, it's essentially corrupted. Is there anything I can do as I no longer have the originally created ciphered data, but only mysqldumps of it. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
HABTM model fields and Security-disabledFields
See the following code: ?php // HABTM model fields in view foreach ($daysOfWeek as $k = $day) { echo $form-input('BusinessHour.'.$k.'.day', array('type' = 'hidden', 'value' = $k)); } // Disabling the fields with the Security Component (in controller)? $this-Security-disabledFields = array('BusinessHour.day'); ? For HABTM model fields like the ones generated in that foreach loop, do I disable ALL of those fields via Security-disabledFields in the controller as I have indicated? -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: HABTM model fields and Security-disabledFields
You should only need to disable them if they are being manipulated with JavaScript. That said, I've had issues trying anything other than disabling the entire HABTM data: $this-Security-disabledFields = array('BusinessHour'); This is because the way Cake compares the fields does not take into account mulitple keys like BusinessHour.0.day, BusinessHour.1.day etc. On Monday, February 27, 2012 4:41:53 AM UTC-8, randallj wrote: See the following code: ?php // HABTM model fields in view foreach ($daysOfWeek as $k = $day) { echo $form-input('BusinessHour.'.$k.'.day', array('type' = 'hidden', 'value' = $k)); } // Disabling the fields with the Security Component (in controller)? $this-Security-disabledFields = array('BusinessHour.day'); ? For HABTM model fields like the ones generated in that foreach loop, do I disable ALL of those fields via Security-disabledFields in the controller as I have indicated? -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: HABTM model fields and Security-disabledFields
Thanks! If that is the case, then that will work out just fine for me. And to address your concern: Yes, the date fields are manipulated by JavaScript. On Feb 27, 11:09 am, jeremyharris funeralm...@gmail.com wrote: You should only need to disable them if they are being manipulated with JavaScript. That said, I've had issues trying anything other than disabling the entire HABTM data: $this-Security-disabledFields = array('BusinessHour'); This is because the way Cake compares the fields does not take into account mulitple keys like BusinessHour.0.day, BusinessHour.1.day etc. On Monday, February 27, 2012 4:41:53 AM UTC-8, randallj wrote: See the following code: ?php // HABTM model fields in view foreach ($daysOfWeek as $k = $day) { echo $form-input('BusinessHour.'.$k.'.day', array('type' = 'hidden', 'value' = $k)); } // Disabling the fields with the Security Component (in controller)? $this-Security-disabledFields = array('BusinessHour.day'); ? For HABTM model fields like the ones generated in that foreach loop, do I disable ALL of those fields via Security-disabledFields in the controller as I have indicated? -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: CakePHP shows a blank page on PHP errors when using Security component
Nobody has an idea? -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
CakePHP shows a blank page on PHP errors when using Security component
Hello, I'm trying to investigate a problem with CakePHP ver. 2.0.5 - when there is an error in controller class (i.e. trying to create an object from nonexistent class) I get a blank page rendered, no errors, warnings or sql dumps. Debug level is set to 2 in Config/core.php. Problem appears only when Security component is included in AppController.php. Here is sample code: /*file app/Controller/AppController.php*/ ?php class AppController extends Controller { public $helpers = array( 'Html', 'Js' = array('Jquery'), 'Form', 'Session' ); public $components = array( 'Security' 'RequestHandler', 'Session', 'Acl' ); public function blackhole ($type) { pr('Security blackhole ' . $type); } public function beforeFilter ($noAction = false) { parent::beforeFilter(); $this-Security-blackHoleCallback = 'blackhole'; } public function beforeRender() { parent::beforeRender(); } public function afterFilter() { parent::afterFilter(); } } ? /*file app/Controller/CustomerDetailsController.php*/ class CustomerDetailsController extends AppController{ public $name = 'CustomerDetails'; public function beforeFilter() { parent::beforeFilter(); } public function create(){ $this-autoRender = false; //Just for testing purpose - Cake doesn't render the view pr('controller action'); //Never showed $xfgb = new sfg; //Nonexistent class } } ? /*file app/Model/CustomerDetail.php*/ ?php class CustomerDetail extends AppModel{ public $name='CustomerDetail'; } ? Removing the Security component from the $components array makes the trick - the application shows PHP error: Fatal error: Class 'sfg' not found in APP/Controller/ CustomerDetailsController.php on line 14, but with Security component enabled page is completely blank making debugging hard (I can see the PHP error in apache logs though). Another oddity is that restarting the apache web server causes error to appear just once - the first load of the page app/CustomerDetails/ create is with raised error on it, but all reloads after that end with blank page. Restarting apache and voila - error is here again only on first page load. I've created a simple PHP script with object instance of nonexistent class outside CakePHP and it works as expected - every call ends with PHP fatal error that class was not found. Any help will be appreciated. Regards, Niki -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Problem with Security
as miles said best at the very top of your file ?php HERE On 11 Jan., 03:32, jmail ad...@jmail.pl wrote: H. That is strange. Why is that working on other controller for admin? Where should I put this App::uses? Can I put this somwhere in AppController? I have added that into the login function and now that is working. jmail On 11 Sty, 03:28, Miles J mileswjohn...@gmail.com wrote: Add this to the top: App::uses('Security', 'Utility'); On Jan 10, 6:25 pm, jmail ad...@jmail.pl wrote: Hi all! I am preparing some login action in my app. I have made view %=$this-Form-create('User', array('action' = 'login','inputDefaults' = array('label' = false,'div' = false)));% %=$this-Form-input('mail', array('type' = 'text', 'label' = 'Email:br'));%br %=$this-Form-input('pass', array('type' = 'password', 'label' = 'Pass:br'));%brbr %=$this-Form-end(array('value' = 'Login', 'label' = 'Login', 'class' = 'searchsubmit', 'div' = array('class' = 'floatRight'))); % I have build function in UsersController class UsersController extends AppController{ public function login(){ if ($this-request-is('post')) { $user = $this-User-findByMailAndPass($this-request-data[User][mail], Security::hash($this-request-data[User] [pass], null, true)); if ($user === false) { $this-Session-setFlash('Nieprawid³owe dane logowania.'); $this-request-data[User][mail] = ''; $this-request-data[User][pass] = ''; } else { CakeSession::write('user.id', $user[User][id]); CakeSession::write('user.mail', $user[User] [mail]); $this-redirect(array('controller' = 'users', 'action' = 'profile')); } } } public function logout(){ CakeSession::delete(user); $this-redirect('/'); } } So. When I go to the HOST/users/login everything is ok, but when I try to submit login form I get an error Fatal error: Class 'Security' not found in and of course I've got var $helpers = array('Form', 'Html', 'Session', 'Cycle'); in AppController Can anyone please help me what should I do? Please do not tell me to change my login to the Cake model - I need that this way done. For end I will add info tha the same action is working good for admin login :( thank's for tips regards jmail- Ukryj cytowany tekst - - Poka¿ cytowany tekst - -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Problem with Security
Just place it in bootstrap so all pages inherit it. On Jan 11, 2:54 am, euromark dereurom...@googlemail.com wrote: as miles said best at the very top of your file ?php HERE On 11 Jan., 03:32, jmail ad...@jmail.pl wrote: H. That is strange. Why is that working on other controller for admin? Where should I put this App::uses? Can I put this somwhere in AppController? I have added that into the login function and now that is working. jmail On 11 Sty, 03:28, Miles J mileswjohn...@gmail.com wrote: Add this to the top: App::uses('Security', 'Utility'); On Jan 10, 6:25 pm, jmail ad...@jmail.pl wrote: Hi all! I am preparing some login action in my app. I have made view %=$this-Form-create('User', array('action' = 'login','inputDefaults' = array('label' = false,'div' = false)));% %=$this-Form-input('mail', array('type' = 'text', 'label' = 'Email:br'));%br %=$this-Form-input('pass', array('type' = 'password', 'label' = 'Pass:br'));%brbr %=$this-Form-end(array('value' = 'Login', 'label' = 'Login', 'class' = 'searchsubmit', 'div' = array('class' = 'floatRight'))); % I have build function in UsersController class UsersController extends AppController{ public function login(){ if ($this-request-is('post')) { $user = $this-User-findByMailAndPass($this-request-data[User][mail], Security::hash($this-request-data[User] [pass], null, true)); if ($user === false) { $this-Session-setFlash('Nieprawid³owe dane logowania.'); $this-request-data[User][mail] = ''; $this-request-data[User][pass] = ''; } else { CakeSession::write('user.id', $user[User][id]); CakeSession::write('user.mail', $user[User] [mail]); $this-redirect(array('controller' = 'users', 'action' = 'profile')); } } } public function logout(){ CakeSession::delete(user); $this-redirect('/'); } } So. When I go to the HOST/users/login everything is ok, but when I try to submit login form I get an error Fatal error: Class 'Security' not found in and of course I've got var $helpers = array('Form', 'Html', 'Session', 'Cycle'); in AppController Can anyone please help me what should I do? Please do not tell me to change my login to the Cake model - I need that this way done. For end I will add info tha the same action is working good for admin login :( thank's for tips regards jmail- Ukryj cytowany tekst - - Poka¿ cytowany tekst - -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Problem with Security
Hi all! I am preparing some login action in my app. I have made view %=$this-Form-create('User', array('action' = 'login','inputDefaults' = array('label' = false,'div' = false)));% %=$this-Form-input('mail', array('type' = 'text', 'label' = 'Email:br'));%br %=$this-Form-input('pass', array('type' = 'password', 'label' = 'Pass:br'));%brbr %=$this-Form-end(array('value' = 'Login', 'label' = 'Login', 'class' = 'searchsubmit', 'div' = array('class' = 'floatRight'))); % I have build function in UsersController class UsersController extends AppController{ public function login(){ if ($this-request-is('post')) { $user = $this-User-findByMailAndPass($this-request- data[User][mail], Security::hash($this-request-data[User] [pass], null, true)); if ($user === false) { $this-Session-setFlash('Nieprawidłowe dane logowania.'); $this-request-data[User][mail] = ''; $this-request-data[User][pass] = ''; } else { CakeSession::write('user.id', $user[User][id]); CakeSession::write('user.mail', $user[User] [mail]); $this-redirect(array('controller' = 'users', 'action' = 'profile')); } } } public function logout(){ CakeSession::delete(user); $this-redirect('/'); } } So. When I go to the HOST/users/login everything is ok, but when I try to submit login form I get an error Fatal error: Class 'Security' not found in and of course I've got var $helpers = array('Form', 'Html', 'Session', 'Cycle'); in AppController Can anyone please help me what should I do? Please do not tell me to change my login to the Cake model - I need that this way done. For end I will add info tha the same action is working good for admin login :( thank's for tips regards jmail -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php