#6052: Model::save and saveAll $fieldList enforcement
-------------------------------------------------------------------------+--
Reporter: ionas82 |
Type: Enhancement
Status: new |
Priority: Low
Milestone: 2.0.0.x |
Component: Model
Version: |
Severity: Major
Keywords: security, fieldlist, whitelist, blacklist, save, saveAll |
Php_version: n/a
Cake_version: 8004 |
-------------------------------------------------------------------------+--
Any developers should enforced to set $fieldList to '*' at least (or
specify an array). This should prevent security holes in applications
where developers forget or do not know about $fieldList.
[[BR]][[BR]]
While I think that this is important for beginners and average developers
who else might distribute many cake apps with always the same security
hole I see following drackback with implementation:
[[BR]][[BR]]
You will have to specify $validates as well, which adds even more "bloat"
code to applications that do not require $fieldList (like One-
Administrator applications). Switching $validate and $fieldList would
break compatibility with current apps that specify either of both.
[[BR]][[BR]]
One way to circumvent would be to move from the following parameter list:
$data, $validate, $fieldList, ($blackList) to:
[[BR]][[BR]]
$data, array('validate' => true, 'fieldList' => 'modelField1,
modelField2', 'blackList' => 'modelField1, modelField2'). (see
http://trac.cakephp.org/ticket/5953 for blackList )
[[BR]][[BR]]
Minimal calling parameters would be save($data, array('fieldList' => '*'))
instead of the current save($data). Having a named parameter gives even
more transparency - maybe naming it 'whiteList' even more. Naming the
array of parameters $options might not be fitting as they are no options
anymore but some are obligatory - $params would fit.
[[BR]][[BR]]
In addition if save() has 3 parameters the old style of calling could be
kept in if required (like save($data, $validate, $fieldList).
[[BR]][[BR]]
I am sorry for my bad English and I am sorry if I went on some nerves in
#cakephp. I have no problem with the current implementation myself but I
think that for Cake to have more success as a framework this change would
add tighter default security in future versions.
[[BR]][[BR]]
Are you interested in a patch for this?
--
Ticket URL: <https://trac.cakephp.org/ticket/6052>
CakePHP : The Rapid Development Framework for PHP <https://trac.cakephp.org/>
Cake is a rapid development framework for PHP which uses commonly known design
patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC.
Our primary goal is to provide a structured framework that enables PHP users at
all levels to rapidly develop robust web applications, without any loss to
flexibility.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"tickets cakephp" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/tickets-cakephp?hl=en
-~----------~----~----~----~------~----~------~--~---
