By accident and looking at the error logs I found something that concerns
me.
Currently sth like this is used by probably most of us:
if (!empty($this->request->params['named']['sort'])) {
$sort = strtolower($this->request->params['named']['sort']); // we
expect a string in 99% of all cases
// do sth with it
}
But if you generate urls like `.../sort:created/sort:foo/sort:bar/...` you
can easily break the logic here.
So, if someone wants to hurt you he could just try to do that will all your
pages where you except named (or query) strings and
on such a big scale that your error logs fill up in the MB range in the
hope to fill the hard disk. should we have any concerns here?
Shouldn't we whitelist the named/query params that can/will be arrays? like
$this->request->exceptAsArray('sort') etc?
Or always use this (I found at least 400 places in my code where this array
trick would result in lots of broken code by the way):
if (!empty($this->request->params['named']['sort'])) {
if (is_array($this->request->params['named']['sort'])) {
$this->request->params['named']['sort'] =
array_shift($this->request->params['named']['sort']);
}
$sort = strtolower($this->request->params['named']['sort']);
//do sth with it
}
Adding some whitelisting would be cleaner here IMO.
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
Visit this group at http://groups.google.com/group/cake-php?hl=en.
