#6285: Sanitize::clean($this->data) breaks Security Component --------------------------------------------+------------------------------- Reporter: michaelc | Type: Bug Status: new | Priority: Medium Milestone: 1.2.x.x | Component: Core Libs Version: 1.2 Final | Severity: Normal Keywords: sanitize security clean all | Php_version: n/a Cake_version: 1.2.2.8120 | --------------------------------------------+------------------------------- Introduction: I had this 'bright' idea to sanitize $this->data in the app_controller's beforeFilter. This invariably triggers a black hole callback - and I think I know why. After puttering around, I found this:
[[BR]]$this->data:[[BR]] array ( '_Token' => array ( 'key' => '78399c8d84d7465a6e9b357b1738b8a2c7d7c8dc', 'fields' => '5fd113a53793345a4f70cc3380bc08faa31b53df%3An%3A2%3A%7Bv%3A0%3Bf%3A13%3A%22Pynffvsvrq.vq%22%3Bv%3A1%3Bf%3A10%3A%22Pbagnpg.vq%22%3B%7D', ), ...[[BR]] $this->data = Sanitize::clean($this->data):[[BR]] array ( '_Token' => array ( 'key' => '78399c8d84d7465a6e9b357b1738b8a2c7d7c8dc', 'fields' => '5fd113a53793345a4f70cc3380bc08faa31b53df%3An%3A2%3A%7Bv%3A0%3Bf%3A13%3A%22Pynffvsvrq.vq%22%3Bv%3A1%3Bf%3A10%3A%22Pbagnpg.vq%22%3B%7D', ), ...[[BR]] [[BR]]See the difference? Me neither... But! {{{ Error @ pos 147 DIFF: cc3380bc08faa31b53df % 3An%3A2%3A%7Bv%3A0%3 cc3380bc08faa31b53df % 3An%3A2% }}} I've added spaces around the changed content - it was still identical in a visual scan until I added a red span around the bad character. Note the shorter length of the second string? Both go out to 20 chars after the error - but I only broke up the first escape sequence with a span - the rest display as %. [[BR]]Problem: Sanitize::clean html entity encodes '%', which Sanitize requires to be unmodified in the string. [[BR]]Solution? -- Sanitize clean ignores _Token, or perhaps Security component reverses the encoding process, or Security component uses something other than % as a pivot which Sanitize::html won't encode (preference). [[BR]] {{{ $this->data = Sanitize::clean($this->data, array('encode'=>false)); }}} is not the type of answer I'm looking for here - I'm suggesting that the Sanitization and the Security Component play nicely with the default configuration. [[BR]]Alternate resolution: If Sanitizing all of $this->data is simply a bad idea - suggest that as your motivation for closing it, and toss in a thought or two about why. Some exist. -- Ticket URL: <https://trac.cakephp.org/ticket/6285> CakePHP : The Rapid Development Framework for PHP <https://trac.cakephp.org/> Cake is a rapid development framework for PHP which uses commonly known design patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC. Our primary goal is to provide a structured framework that enables PHP users at all levels to rapidly develop robust web applications, without any loss to flexibility. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "tickets cakephp" group. To post to this group, send email to tickets-cakephp@googlegroups.com To unsubscribe from this group, send email to tickets-cakephp+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/tickets-cakephp?hl=en -~----------~----~----~----~------~----~------~--~---