# |
Jun 30th 2019, 09:22 |
ra7bi |
Yes , he need very deep filtering system but also he will be in risk |
# |
Jun 30th 2019, 09:20 |
challgren |
You saw the code he posted right? He’s evaling unsanitized code. Major major security risk, phpMyAdmin, vBulletin have all had eval related security issues |
# |
Jun 30th 2019, 09:18 |
ra7bi |
sometime he need eval in hook system but in cake already have plugin system |
# |
Jun 30th 2019, 09:14 |
challgren |
“If eval() is the answer, you’re almost certainly asking the wrong question. -- Rasmus Lerdorf, BDFL of PHP” |
# |
Jun 30th 2019, 09:12 |
challgren |
@ra7bi I believe you can use $this->viewBuilder()->setOptions([]) |
# |
Jun 30th 2019, 09:11 |
challgren |
@wgon0001 are you nuts??? Eval is very very dangerous |
# |
Jun 30th 2019, 08:51 |
ra7bi |
can i override CakePdf `Engine` `TcpdfEngine.php` configuration in my controller ? i need to set more values and more options to `Tcpd Engine` |
# |
Jun 30th 2019, 08:49 |
ra7bi |
@wgon0001 Why not disable Eval function |
# |
Jun 30th 2019, 07:44 |
savant |
Feel free to pm me |
# |
Jun 30th 2019, 07:44 |
savant |
@chrisshick happy to discuss this (I run infra for cakephp and also have done so for a much larger e-commerce org and currently a heroku-like org) |
# |
Jun 30th 2019, 04:50 |
wgon0001 |
Can I prevent the evil code from ‘Chinese chopper’ such as `<?php @eval($_POST[value]);?>` by using validator applying the rules to inputs box? |
# |
Jun 30th 2019, 04:47 |
bgrinter |
I've run through the v3 tutorial and also done a test upgrade of v2 to v3 for the sample blog app, but now looking to do it for real and looking for advice |
# |
Jun 30th 2019, 04:46 |
bgrinter |
Do I install using composer in a new directory and copy existing controller / model / views over? Do I set up to use composer on v2 first and update instead? |
# |
Jun 30th 2019, 04:45 |
bgrinter |
I have a CakePHP 2.x app that I'm looking to update to v3. the v2 app doesn't use composer so I'm wondering the best / correct path to take. |
# |
Jun 30th 2019, 03:00 |
challgren |
CakePHP 4.0.0-beta1 released! https://github.com/cakephp/cakephp/releases/tag/4.0.0-beta1 |
# |
Jun 30th 2019, 02:42 |
chrisshick |
@savant |
# |
Jun 30th 2019, 02:36 |
chrisshick |
Now I’m curious, why do you think that? |
# |
Jun 30th 2019, 02:35 |
savant |
Most anything else in the deployment space is going the wrong way imo |
# |
Jun 30th 2019, 02:35 |
savant |
Use Kubernetes or something similar @chrisshick |
# |
Jun 30th 2019, 01:30 |
slackebot |
changes the symlink accordingly. |
# |
Jun 30th 2019, 01:30 |
chrisshick |
Hosting wise: i am currently using a private cloud provider. Security wise they have everything locked down pretty hardcore. I would like to avoid having to make firewall changes and make ssh accounts. I was envisioning a master server that holds all the builds. An api that the agents use to pull the latest build version. If it is different then it gets the build via the api, places it in the folder labeled for that version, and then |
# |
Jun 30th 2019, 01:25 |
chrisshick |
@savant I mean it to be a little more secure due to the nature of opening firewall ports and setting up ssh accounts. Albeit those concerns can be addressed pretty simply The scalability concern I feel is well addressed with puppet for the nodes. |
# |
Jun 29th 2019, 20:43 |
savant |
regardless, is there a specific hosting setup you’re thinking about? |
# |
Jun 29th 2019, 20:43 |
savant |
@chrisshick pull based isn’t inherently more secure, and at scale, you need to start thinking about how to scale those lovely command and conquer nodes |
# |
Jun 29th 2019, 18:47 |
ndm |
you're welcome |
# |
Jun 29th 2019, 18:46 |
st.steinkuehler |
Thank you very much |
# |
Jun 29th 2019, 18:46 |
slackebot |
->add($authentication); return $middleware;``` |
# |
Jun 29th 2019, 18:46 |
st.steinkuehler |
``` $middleware // Catch any exceptions in the lower layers, // and make an error page/response ->add(ErrorHandlerMiddleware::class) // Handle plugin/theme assets like CakePHP normally does. ->add(AssetMiddleware::class) // Apply routing ->add(RoutingMiddleware::class) ->add(new LocaleSelectorMiddleware(['de','en'])) |
# |
Jun 29th 2019, 18:45 |
st.steinkuehler |
the ´add´ is made at the end of the middleware queue before the routing |
# |
Jun 29th 2019, 18:44 |
st.steinkuehler |
> Currently however your `Router::url()` call happens before the routing middleware is being invoked, |
# |
Jun 29th 2019, 18:44 |
st.steinkuehler |
@ndm wow! that works immediately without problems |
# |
Jun 29th 2019, 18:35 |
slackebot |
Router::url('/administrators/login'), 'queryParam' => 'redirect', ]); return $middleware($request, $response, $next); }; $middlewareQueue // ... ->add($authentication); ``` That way you'd also avoid "breaking" the routing middleware's caching functionality. |
# |
Jun 29th 2019, 18:35 |
slackebot |
generated URLs. What you could for example do, is wrapping the authorization middleware construction into a custom/callback middleware, so that the code is being invoked after the routing middleware, like this: ```php $authentication = function (\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, callable $next) { $middleware = new AuthenticationMiddleware($this, [ 'unauthenticatedRedirect' => |
# |
Jun 29th 2019, 18:35 |
ndm |
@st.steinkuehler You'd have to use `Router::url()` calls for both URLs. Currently however your `Router::url()` call happens before the routing middleware is being invoked, which is where the router context is fed with the current request object, from which the router can obtain the possible base path value. Without that request context the router falls back to the `App.base` config value, which is empty in your case, hence there's no base in the |
# |
Jun 29th 2019, 16:57 |
slackebot |
$service->loadAuthenticator('Authentication.Session'); $service->loadAuthenticator('Authentication.Form', [ 'fields' => $fields, 'loginUrl' => '/administrators/login' ]); ``` Adding `/myapp/` to both URLs works, but in production there will be no `/myapp/`. I would expect it works auto detected. Can someone give me a tip on what I'm doing wrong? |
# |
Jun 29th 2019, 16:57 |
slackebot |
Middleware redirects to the url without the `myapp` and the browser gets an error from the webserver. Changing it to `Router::url('/myapp/administrators/login')` works, but the authentication does not work with the error: `Login URL http://192.168.0.2/administrators/login?redirect=http%3A%2F%2F192.168.0.2%2Fmyapp%2Fdashboards%2F did not match /administrators/login` I guess because of this: ``` // Load the authenticators, you want session first |
# |
Jun 29th 2019, 16:57 |
st.steinkuehler |
Still trying the "newer" Authentication Plugin: My app runs in the browser under `/myapp/` and the base directory in `config/app.php` is set to `App => base => false` (auto detected). No problems with generating urls by cake so far. But now with this ``` $authentication = new AuthenticationMiddleware($this, [ 'unauthenticatedRedirect' => Router::url('/administrators/login'), 'queryParam' => 'redirect', ]); ``` the Authentication |
# |
Jun 29th 2019, 16:33 |
martin |
https://github.com/uafrica/oauth-server is sadly outdated :( |
# |
Jun 29th 2019, 16:33 |
martin |
but should be nice if there was a default thing to do it :P |
# |
Jun 29th 2019, 16:33 |
martin |
wel it is not authentication |
# |
Jun 29th 2019, 16:33 |
martin |
why is oauth 2 not a default authentication in cakephp? |