#6285: Sanitize::clean($this->data) breaks Security Component
--------------------------------------------+-------------------------------
Reporter: michaelc | Type: Bug
Status: new | Priority: Medium
Milestone: 1.2.x.x | Component: Core Libs
Version: 1.2 Final | Severity: Normal
Keywords: sanitize security clean all | Php_version: n/a
Cake_version: 1.2.2.8120 |
--------------------------------------------+-------------------------------
Introduction: I had this 'bright' idea to sanitize $this->data in the
app_controller's beforeFilter. This invariably triggers a black hole
callback - and I think I know why. After puttering around, I found this:
[[BR]]$this->data:[[BR]]
array ( '_Token' => array ( 'key' =>
'78399c8d84d7465a6e9b357b1738b8a2c7d7c8dc', 'fields' =>
'5fd113a53793345a4f70cc3380bc08faa31b53df%3An%3A2%3A%7Bv%3A0%3Bf%3A13%3A%22Pynffvsvrq.vq%22%3Bv%3A1%3Bf%3A10%3A%22Pbagnpg.vq%22%3B%7D',
), ...[[BR]]
$this->data = Sanitize::clean($this->data):[[BR]]
array ( '_Token' => array ( 'key' =>
'78399c8d84d7465a6e9b357b1738b8a2c7d7c8dc', 'fields' =>
'5fd113a53793345a4f70cc3380bc08faa31b53df%3An%3A2%3A%7Bv%3A0%3Bf%3A13%3A%22Pynffvsvrq.vq%22%3Bv%3A1%3Bf%3A10%3A%22Pbagnpg.vq%22%3B%7D',
), ...[[BR]]
[[BR]]See the difference? Me neither... But!
{{{
Error @ pos 147 DIFF:
cc3380bc08faa31b53df % 3An%3A2%3A%7Bv%3A0%3
cc3380bc08faa31b53df % 3An%3A2%
}}}
I've added spaces around the changed content - it was still identical in a
visual scan until I added a red span around the bad character. Note the
shorter length of the second string? Both go out to 20 chars after the
error - but I only broke up the first escape sequence with a span - the
rest display as %.
[[BR]]Problem:
Sanitize::clean html entity encodes '%', which Sanitize requires to be
unmodified in the string.
[[BR]]Solution? -- Sanitize clean ignores _Token, or perhaps Security
component reverses the encoding process, or Security component uses
something other than % as a pivot which Sanitize::html won't encode
(preference).
[[BR]] {{{ $this->data = Sanitize::clean($this->data,
array('encode'=>false)); }}} is not the type of answer I'm looking for
here - I'm suggesting that the Sanitization and the Security Component
play nicely with the default configuration.
[[BR]]Alternate resolution: If Sanitizing all of $this->data is simply a
bad idea - suggest that as your motivation for closing it, and toss in a
thought or two about why. Some exist.
--
Ticket URL: <https://trac.cakephp.org/ticket/6285>
CakePHP : The Rapid Development Framework for PHP <https://trac.cakephp.org/>
Cake is a rapid development framework for PHP which uses commonly known design
patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC.
Our primary goal is to provide a structured framework that enables PHP users at
all levels to rapidly develop robust web applications, without any loss to
flexibility.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"tickets cakephp" group.
To post to this group, send email to tickets-cakephp@googlegroups.com
To unsubscribe from this group, send email to
tickets-cakephp+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/tickets-cakephp?hl=en
-~----------~----~----~----~------~----~------~--~---
