any comments here? :)
how would you handle it? or do you just let php throw errors and notices
here for your log files?
Am Montag, 10. Dezember 2012 16:26:16 UTC+1 schrieb euromark:
>
> By accident and looking at the error logs I found something that concerns
> me.
> Currently sth like this is used by probably most of us:
>
> if (!empty($this->request->params['named']['sort'])) {
> $sort = strtolower($this->request->params['named']['sort']); // we
> expect a string in 99% of all cases
> // do sth with it
> }
>
> But if you generate urls like `.../sort:created/sort:foo/sort:bar/...` you
> can easily break the logic here.
> So, if someone wants to hurt you he could just try to do that will all
> your pages where you except named (or query) strings and
> on such a big scale that your error logs fill up in the MB range in the
> hope to fill the hard disk. should we have any concerns here?
>
> Shouldn't we whitelist the named/query params that can/will be arrays?
> like $this->request->exceptAsArray('sort') etc?
> Or always use this (I found at least 400 places in my code where this
> array trick would result in lots of broken code by the way):
>
> if (!empty($this->request->params['named']['sort'])) {
> if (is_array($this->request->params['named']['sort'])) {
> $this->request->params['named']['sort'] =
> array_shift($this->request->params['named']['sort']);
> }
> $sort = strtolower($this->request->params['named']['sort']);
> //do sth with it
> }
>
> Adding some whitelisting would be cleaner here IMO.
>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
Visit this group at http://groups.google.com/group/cake-php?hl=en.
