This is a shameless bump of a question I posted yesterday: http://groups.google.com/group/symfony-devs/browse_thread/thread/c245a674985 8d765
However, I am only doing it because I want to rule out that there might be a security leak in any number of live Symfony applications out there. This is real easy to test in your own application. Go to any secured module and change the case on one or more of the letters in the action name. If you get your login module then you're OK. However, if you get a 500 or other Template error then your action has executed. This can be a problem, for example, if someone malaciously calls an update or delete action. See my other post for more details. I am sorry to nag about this but I just assumed even the potential of this problem being out there would be a concern for someone. --peterVG > -----Original Message----- > From: [email protected] > [mailto:[EMAIL PROTECTED] On Behalf Of Peter Van Garderen > Sent: March 15, 2007 4:39 PM > To: [email protected] > Subject: [symfony-devs] security.yml case sensitive? > > > I might have missed something obvious but my security.yml > settings appear to > be case sensitive which could be a bit of a security leak. > > I am running Symfony 1.0.0. This problem was apparently > addressed back in > June 2006 - http://www.symfony-project.com/trac/ticket/466. > However, I seem > to be re-experiencing it. > > For example, I secure the myModule actions using > myModule/config/security.yml > > create: > is_secure: on > credentials: admin > > edit: > is_secure: on > credentials: admin > > Now here's the twist where this might have gone unnoticed in > 90% of cases. > My 'create' and 'edit' actions use some control logic to decide which > template to load, using the setTemplate() command. > > Therefore, if I am not authenticated then I can't access > //myApp/myModule/create or //myApp/myModule/edit/id/1 but I > can access the > edit or create actions using any of the following URLs (without > authentication): > > //myApp/myModule/Create > //myApp/myModule/cREate > //myApp/myModule/Edit/id/1 > //myApp/myModule/edIT/id/1 > ...etc > > Normally actions and their associated SUCCESS templates are > case sensitive. > Therefore, these case-sensitive URLs would normally just fail > with an error > like "The template "/cREateSuccess.php" does not exist in:" > > However, because of my setTemplate() control logic the > templates are loaded, > despite the security.yml rules which, as far as I undertood > it, should have > restricted the 'create' or 'edit' action all together. > > I fixed this using the patch to sfAction.class.php illustrated in the > original ticket #466: > > However, I thought I'd better call this to attention in case > this an issue > for Symfony in general. > > If this is not a problem isolated to my system/setup I can > re-open this > ticket. > > --peterVG > > > -------- > Patch to sfAction.class.php (converted ActionName to lowercase before > checking for security & credential requirements): > > > public function isSecure() > { > $actionName = strtolower($this->getActionName()); > if (isset($this->security[$actionName]['is_secure'])) > { > return $this->security[$actionName]['is_secure']; > } > > if (isset($this->security['all']['is_secure'])) > { > return $this->security['all']['is_secure']; > } > > return false; > } > > /** > * Gets credentials the user must have to access this action. > * > * @return mixed An array or a string describing the > credentials the user > must have to access this action > */ > public function getCredential() > { > $actionName = strtolower($this->getActionName()); > > if (isset($this->security[$actionName]['credentials'])) > { > $credentials = $this->security[$actionName]['credentials']; > } > else if (isset($this->security['all']['credentials'])) > { > $credentials = $this->security['all']['credentials']; > } > else > { > $credentials = null; > } > > return $credentials; > } > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
