Hello Graham, Thanks a lot for your kind answer, i was pretty sure that in no way there are any globals are being passed to extract inside Cake's core, i just wanted to make sure of that in order to show it to my "paranoid" client!
Thanks again. Cheers, Ma'moon On Mon, Jul 19, 2010 at 2:30 AM, saidbakr <[email protected]> wrote: > Hi, > I need an example that demonstrates the security risk in a CakePHP > application depends on extract!!! > > On Jul 19, 1:40 am, Graham Weldon <[email protected]> wrote: > > Extract is only ever used on settings and the like. > > While we do a lot to ensure the security and safety of the framework, > > we do not provide security for developers passing in globals and > > exposing potential security risks or issues. > > > > The core at no point will extract and override a global like $_FILES, > $_GET etc. > > > > Cheers, > > Graham / Predominant > > > > On Mon, Jul 19, 2010 at 12:32 AM, Ma'moon <[email protected]> wrote: > > > Dear CakePHP core developers, > > > I have noticed that the "extract" function is being used in so many > places > > > all over the core files "more than 100", and as you know, the extract > > > function is very dangerous to use according to the warning being > mentioned > > > in the documentation page @ php.net/extract , kindly, my question is, > what > > > do you guys do in order to make sure that there are no super globals > are > > > being passed to extract in the core files?? if someone may answer me > then it > > > will save me a lot of time to convince some people that CakePHP fits > for the > > > job, i'll appreciate any answer. > > > > > Thanks a lot > > > Ma'moon > > > > > Check out the new CakePHP Questions sitehttp://cakeqs.organd help > others > > > with their CakePHP related questions. > > > > > You received this message because you are subscribed to the Google > Groups > > > "CakePHP" group. > > > To post to this group, send email to [email protected] > > > To unsubscribe from this group, send email to > > > [email protected]<cake-php%[email protected]>For > > > more options, visit this group at > > >http://groups.google.com/group/cake-php?hl=en > > Check out the new CakePHP Questions site http://cakeqs.org and help others > with their CakePHP related questions. > > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected]<cake-php%[email protected]>For > more options, visit this group at > http://groups.google.com/group/cake-php?hl=en > Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
