| # |
Jun 30th 2019, 15:06 |
 martin |
In composer.json namespace is correct |
| # |
Jun 30th 2019, 15:06 |
martin |
Can't I create plugins in namespace "Company/Pluginname" ? I'm fighting with routes naar controller inside plugin, but it says it can not find it. But it is there :S |
| # |
Jun 30th 2019, 14:37 |
slackebot |
permissions anywhere by using the identity stored in the request." is the right way? Do I need a Policy for a action based check? Can someone give me further informations? Which articles in which order should I read and understand. I would like to understand the overall context of the "parts" involved in authorization. Thank you. |
| # |
Jun 30th 2019, 14:37 |
st.steinkuehler |
Today I try the Authorization Plugin and I have some issues or missunderstandings on my side: I want to have an action based authorization as before with the old Auth-Component. How do I do this with the Plugin? I set up the middleware as described in the "Quickstart". I guess the "Policies" stuff is not what I want because "You can create policies for any class in your application". or? So it seems that this "You can check |
| # |
Jun 30th 2019, 14:36 |
akimov.dev |
Hello! Help me please, how can I get json body of request in beforePaginate method? |
| # |
Jun 30th 2019, 12:29 |
snake-venom |
any suggestion ? |
| # |
Jun 30th 2019, 12:29 |
snake-venom |
i am trying to save user id.. when i am sending user id = 0 then its not saving but when sending user_id = 1 then it is saving.. |
| # |
Jun 30th 2019, 12:29 |
snake-venom |
hi there.. |
| # |
Jun 30th 2019, 12:20 |
ndm |
@st.steinkuehler A custom finder maybe. Really depends on at which point the data you want to set is available, and under which circumstances it has to be set. |
| # |
Jun 30th 2019, 11:38 |
st.steinkuehler |
Is there a simpler, more direct way to change a field for the logged in user, like this? ``` $userData = $this->Authentication->getIdentity()->getOriginalData(); $userData['assignnewpwd'] = false; $updatedIdentity = new Identity($userData); $this->Authentication->setIdentity($updatedIdentity); ``` |
| # |
Jun 30th 2019, 11:35 |
challgren |
Your entities and validation rules will prevent bad data from being inserted |
| # |
Jun 30th 2019, 11:34 |
challgren |
Use the orm and request objects, never use $_POST with cake |
| # |
Jun 30th 2019, 11:33 |
wgon0001 |
Thanks for help. I will try it out. |
| # |
Jun 30th 2019, 11:23 |
challgren |
But simple way to prevent it from being inserted at all is to create a Custom Rule Object so you can reuse it. |
| # |
Jun 30th 2019, 11:22 |
slackebot |
write the contents to a PHP file and execute it, or have it written to a place where an external attacker could execute it. |
| # |
Jun 30th 2019, 11:22 |
ndm |
@wgon0001 Obfuscation via ROT13 or Base64, I haven't seen that in years. Generally you need to first properly assess a threat, just adding "security stuff" will most likely fail if you don't know how a possible attack works. As @challgren said, that code snippet alone is no threat. Ask yourself, how could someone exploit ROT13 obfuscated PHP that's embedded in a database record? Your application would have to un-ROT13 it, and either eval it, or |
| # |
Jun 30th 2019, 11:16 |
challgren |
Plus if you did get `<?php @eval($_POST[value]);?>` inserted into your database. It wouldn’t run |
| # |
Jun 30th 2019, 11:14 |
challgren |
And then if you wanted to you can write your own rule to look for that string https://book.cakephp.org/3.0/en/orm/validation.html#creating-custom-re-usable-rules |
| # |
Jun 30th 2019, 11:11 |
challgren |
https://book.cakephp.org/3.0/en/orm/saving-data.html#merging-request-data-into-entities |
| # |
Jun 30th 2019, 11:11 |
challgren |
https://book.cakephp.org/3.0/en/orm/saving-data.html#converting-request-data-into-entities |
| # |
Jun 30th 2019, 11:04 |
challgren |
https://book.cakephp.org/3.0/en/orm/query-builder.html#sql-injection-prevention |
| # |
Jun 30th 2019, 10:59 |
challgren |
By using the `$_POST` you aren’t even allowing cake to sanitize the input |
| # |
Jun 30th 2019, 10:57 |
challgren |
You know CakePHP has SLQ injection built in if used correctly |
| # |
Jun 30th 2019, 10:55 |
wgon0001 |
There are many articles and some attacker’s write-ups saying how they doing this. And I tried on yesterday it did works on my build with Cake 3.7 |
| # |
Jun 30th 2019, 10:53 |
slackebot |
https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html |
| # |
Jun 30th 2019, 10:53 |
wgon0001 |
@challgren I am trying to prevent that statement been injected to database, common happens when user fill out register from. That link gives you an overview and analysis of how it could harm to php site. And now they are using such as ROT13 or base64 encrypted script to do the same things. And I am trying to build a input filter to prevent this. |
| # |
Jun 30th 2019, 10:34 |
ra7bi |
@ndm Thanks will check it out |
| # |
Jun 30th 2019, 10:31 |
challgren |
I'm not trying to be a dick or anything just trying to understand why you need to use eval |
| # |
Jun 30th 2019, 10:30 |
challgren |
@wgon0001 what exactly are you trying to accomplish with the eval? Let's look at your use case from a architecture view |
| # |
Jun 30th 2019, 10:29 |
ra7bi |
you can detect `eval` code but not prevent completely , the firewall can detect eval call but sometime can play around it |
| # |
Jun 30th 2019, 10:28 |
wgon0001 |
Cheers, that’s what I looking for, I will try it out. |
| # |
Jun 30th 2019, 10:28 |
ra7bi |
so you should be very carefully |
| # |
Jun 30th 2019, 10:28 |
ra7bi |
there is no traditional way , if you prevent `@eval($_POST['value']);` i would use `@eval(base64_decode(base64_decode($_POST['value'])));` |
| # |
Jun 30th 2019, 10:25 |
challgren |
What exactly are you evaling and expecting? |
| # |
Jun 30th 2019, 10:24 |
wgon0001 |
@ra7bi That’s what I want to prevent for attacker’s malware input, is there any functions that I can use in Cake or I have to write it in traditional PHP ways to detect and prevent it? |
| # |
Jun 30th 2019, 10:17 |
slackebot |
required though, you can use a fully qualifified name in the config and it will work just fine. |
| # |
Jun 30th 2019, 10:17 |
ndm |
@ra7bi You can put the file anywhere as long as it's autoloadable, CakePDF doesn't _enforce_ any conventions, but _uses_ the standard CakePHP ones in order to support short classnames (see for example https://book.cakephp.org/3.0/en/core-libraries/logging.html#logging-configuration). In order for the latter to work, you'd put it in `src/Pdf/Engine/`, and use a class/filename that ends with `Engine` (just like the built in ones do). It's not |
| # |
Jun 30th 2019, 09:39 |
challgren |
Ahh ok |
| # |
Jun 30th 2019, 09:38 |
ra7bi |
i preferred TCPDF , coz i know how to work with it much better and it support Arabic |
| # |
Jun 30th 2019, 09:38 |
challgren |
I know that engine seems much more complete in CakePdf |
| # |
Jun 30th 2019, 09:37 |
challgren |
Have you looked into wkHtmlToPdf |