| # |
Jun 30th 2019, 16:52 |
 martin |
hmm trying to make the oauth 2 server plugin working in cakephp 3.7 is to much work. I wanted to simple use a plugin to make oauth2 on an api project, Nobody uses oauth2 anymore in cake? |
| # |
Jun 30th 2019, 15:24 |
martin |
oh now it works :) |
| # |
Jun 30th 2019, 15:19 |
martin |
I hate errors like that |
| # |
Jun 30th 2019, 15:18 |
martin |
hmm now I have an "An Internal Server Error Occurred" |
| # |
Jun 30th 2019, 15:13 |
martin |
Maybe I just need to remove the companyname from the namespace? :S |
| # |
Jun 30th 2019, 15:11 |
martin |
but I don't see namespace? |
| # |
Jun 30th 2019, 15:11 |
martin |
```| pluginname._controller:index | /Pluginname/:controller | {"action":"index","plugin":"pluginname"} ``` |
| # |
Jun 30th 2019, 15:09 |
admad |
use the routes shell to see the routes connected |
| # |
Jun 30th 2019, 15:07 |
martin |
IT says I need to create file, and set the namepace to Pluginname/ |
| # |
Jun 30th 2019, 15:06 |
martin |
also dumped the autoload |
| # |
Jun 30th 2019, 15:06 |
martin |
In composer.json namespace is correct |
| # |
Jun 30th 2019, 15:06 |
martin |
Can't I create plugins in namespace "Company/Pluginname" ? I'm fighting with routes naar controller inside plugin, but it says it can not find it. But it is there :S |
| # |
Jun 30th 2019, 14:37 |
slackebot |
permissions anywhere by using the identity stored in the request." is the right way? Do I need a Policy for a action based check? Can someone give me further informations? Which articles in which order should I read and understand. I would like to understand the overall context of the "parts" involved in authorization. Thank you. |
| # |
Jun 30th 2019, 14:37 |
st.steinkuehler |
Today I try the Authorization Plugin and I have some issues or missunderstandings on my side: I want to have an action based authorization as before with the old Auth-Component. How do I do this with the Plugin? I set up the middleware as described in the "Quickstart". I guess the "Policies" stuff is not what I want because "You can create policies for any class in your application". or? So it seems that this "You can check |
| # |
Jun 30th 2019, 14:36 |
akimov.dev |
Hello! Help me please, how can I get json body of request in beforePaginate method? |
| # |
Jun 30th 2019, 12:29 |
snake-venom |
any suggestion ? |
| # |
Jun 30th 2019, 12:29 |
snake-venom |
i am trying to save user id.. when i am sending user id = 0 then its not saving but when sending user_id = 1 then it is saving.. |
| # |
Jun 30th 2019, 12:29 |
snake-venom |
hi there.. |
| # |
Jun 30th 2019, 12:20 |
ndm |
@st.steinkuehler A custom finder maybe. Really depends on at which point the data you want to set is available, and under which circumstances it has to be set. |
| # |
Jun 30th 2019, 11:38 |
st.steinkuehler |
Is there a simpler, more direct way to change a field for the logged in user, like this? ``` $userData = $this->Authentication->getIdentity()->getOriginalData(); $userData['assignnewpwd'] = false; $updatedIdentity = new Identity($userData); $this->Authentication->setIdentity($updatedIdentity); ``` |
| # |
Jun 30th 2019, 11:35 |
challgren |
Your entities and validation rules will prevent bad data from being inserted |
| # |
Jun 30th 2019, 11:34 |
challgren |
Use the orm and request objects, never use $_POST with cake |
| # |
Jun 30th 2019, 11:33 |
wgon0001 |
Thanks for help. I will try it out. |
| # |
Jun 30th 2019, 11:23 |
challgren |
But simple way to prevent it from being inserted at all is to create a Custom Rule Object so you can reuse it. |
| # |
Jun 30th 2019, 11:22 |
slackebot |
write the contents to a PHP file and execute it, or have it written to a place where an external attacker could execute it. |
| # |
Jun 30th 2019, 11:22 |
ndm |
@wgon0001 Obfuscation via ROT13 or Base64, I haven't seen that in years. Generally you need to first properly assess a threat, just adding "security stuff" will most likely fail if you don't know how a possible attack works. As @challgren said, that code snippet alone is no threat. Ask yourself, how could someone exploit ROT13 obfuscated PHP that's embedded in a database record? Your application would have to un-ROT13 it, and either eval it, or |
| # |
Jun 30th 2019, 11:16 |
challgren |
Plus if you did get `<?php @eval($_POST[value]);?>` inserted into your database. It wouldn’t run |
| # |
Jun 30th 2019, 11:14 |
challgren |
And then if you wanted to you can write your own rule to look for that string https://book.cakephp.org/3.0/en/orm/validation.html#creating-custom-re-usable-rules |
| # |
Jun 30th 2019, 11:11 |
challgren |
https://book.cakephp.org/3.0/en/orm/saving-data.html#merging-request-data-into-entities |
| # |
Jun 30th 2019, 11:11 |
challgren |
https://book.cakephp.org/3.0/en/orm/saving-data.html#converting-request-data-into-entities |
| # |
Jun 30th 2019, 11:04 |
challgren |
https://book.cakephp.org/3.0/en/orm/query-builder.html#sql-injection-prevention |
| # |
Jun 30th 2019, 10:59 |
challgren |
By using the `$_POST` you aren’t even allowing cake to sanitize the input |
| # |
Jun 30th 2019, 10:57 |
challgren |
You know CakePHP has SLQ injection built in if used correctly |
| # |
Jun 30th 2019, 10:55 |
wgon0001 |
There are many articles and some attacker’s write-ups saying how they doing this. And I tried on yesterday it did works on my build with Cake 3.7 |
| # |
Jun 30th 2019, 10:53 |
slackebot |
https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html |
| # |
Jun 30th 2019, 10:53 |
wgon0001 |
@challgren I am trying to prevent that statement been injected to database, common happens when user fill out register from. That link gives you an overview and analysis of how it could harm to php site. And now they are using such as ROT13 or base64 encrypted script to do the same things. And I am trying to build a input filter to prevent this. |
| # |
Jun 30th 2019, 10:34 |
ra7bi |
@ndm Thanks will check it out |
| # |
Jun 30th 2019, 10:31 |
challgren |
I'm not trying to be a dick or anything just trying to understand why you need to use eval |
| # |
Jun 30th 2019, 10:30 |
challgren |
@wgon0001 what exactly are you trying to accomplish with the eval? Let's look at your use case from a architecture view |
| # |
Jun 30th 2019, 10:29 |
ra7bi |
you can detect `eval` code but not prevent completely , the firewall can detect eval call but sometime can play around it |
| # |
Jun 30th 2019, 10:28 |
wgon0001 |
Cheers, that’s what I looking for, I will try it out. |