Log message #4220362

# At Username Text
# Dec 28th 2019, 23:31 challgren Bah stupid DNS cache
# Dec 28th 2019, 23:30 challgren can anyone tell me what the ip address for truepedigree.com comes back as for them?
# Dec 28th 2019, 22:13 dsar I would make it optional for mission critical forms such as payment ones, for example 'extraSecurity' => true
# Dec 28th 2019, 22:12 dsar As markstory said, it is not easy to support this since we need a persistent place to store all the action urls for the hash later
# Dec 28th 2019, 22:07 admad Like I said you have 2 options: either implement your own form tampering mechanism or submit a patch to address the issue.
# Dec 28th 2019, 22:06 dsar Also I didn't want to compare, just to share an issue while porting an application
# Dec 28th 2019, 22:04 dsar I didn't mean that, however I don't think other are so naive
# Dec 28th 2019, 22:02 admad "X" doesn't do this so CakePHP shouldn't either isn't a very good argument
# Dec 28th 2019, 22:01 dsar However, I bumped into this problem while porting a Symfony application where a big complex form was splitted in multiple actions for multiple submits, also Symfony has form security stuff, but it doesn't include the url of the form in the hash (and neither Zend, but I don't use it since long time)
# Dec 28th 2019, 21:59 dsar Well, not many people are aware of new html5 features :)
# Dec 28th 2019, 21:58 admad and no one did anything about it for 2 years. Are you willing to submit a patch to address it?
# Dec 28th 2019, 21:57 dsar It is about the new formaction attribute
# Dec 28th 2019, 21:57 dsar The issue is already here: https://github.com/cakephp/cakephp/issues/11427
# Dec 28th 2019, 21:57 admad or you can open an issue to see if making the inclusion of form url in the hash optional is acceptable and if so provide a patch to implement it
# Dec 28th 2019, 21:54 admad if a feature doesn't suit your needs supplant it with your own implementation. Just because you don't consider something a class of abuse doesn't mean other dont
# Dec 28th 2019, 21:52 dsar @admad I don't understand, a sort of provocation?
# Dec 28th 2019, 21:48 admad so implement your own form tampering prevention :)
# Dec 28th 2019, 21:48 dsar https://www.w3schools.com/tags/att_button_formaction.asp
# Dec 28th 2019, 21:47 dsar Plus, this kind of prevention limits the use of the new formaction attribute of html5
# Dec 28th 2019, 21:47 dsar I don't consider this a "class of abuse" but a very uncommon kind of attack
# Dec 28th 2019, 21:44 challgren if its the same controller with different prefixes
# Dec 28th 2019, 21:44 challgren And 99% of the time they will
# Dec 28th 2019, 21:44 dsar Those two forms must have the same fields to work
# Dec 28th 2019, 21:43 challgren Someone changing the action url to submit the form elsewhere. Aka /entity/edit to /admin/entity/edit
# Dec 28th 2019, 21:34 dsar @admad I see, however hashing form fields is an already strong fingerprint, what class of abuses this countermeasure does prevent?
# Dec 28th 2019, 21:24 admad @dsar https://github.com/cakephp/cakephp/commit/f23d811ff59c50ef278e98bb75f4ec1e7e54a5b3
# Dec 28th 2019, 19:48 dsar Other frameworks also have security related measure against form tampering, but cakephp is the only one that took this in consideration (and it is rather limiting both ajax and the new formaction attribute for submit buttons)
# Dec 28th 2019, 19:46 dsar Could someone explain me why the action url is included in the hash generated by the FormProtection component?
# Dec 28th 2019, 11:46 challgren @ashesh.social I updated the docs at https://github.com/narendravaghela/cakephp-mailgun/tree/master/docs hopefully this helps
# Dec 28th 2019, 04:09 challgren It also should be `$this->getMailer('ContactUs')->send('contactUs', [$entity]);`
# Dec 28th 2019, 01:07 challgren @ashesh.social you need a meeting in your mailer
# Dec 27th 2019, 23:24 dereuromark Looks like I finished upgrading the next plugin, https://github.com/dereuromark/cakephp-test-helper for 4.x
# Dec 27th 2019, 23:23 dereuromark jep, the other one doesnt work :)
# Dec 27th 2019, 23:12 jimbo2150 The deprecation note indicated to use parseRequest: `$url = Router::parseRequest( new Cake\Http\ServerRequest($url) );` ( https://github.com/cakephp/docs/issues/5595#issuecomment-445815915 ). It probably should have noted that RouteCollection has a parse method.
# Dec 27th 2019, 23:02 dereuromark Ah, looks like `$params = Router::getRouteCollection()->parse($url);` works
# Dec 27th 2019, 22:50 dereuromark Does anyone know what `$url = Router::parse($url);` in 4.x is now? To get a parsed URL with they array params etc.
# Dec 27th 2019, 22:43 ashesh.social while calling `$this->getMailer('ContactUs')->send('contactUs', $entity);` getting the error ```Error: [TypeError] Argument 1 passed to Cake\Mailer\Message::validateEmail() must be of the type string, null given, called in /usr/local/cake-app/vendor/cakephp/cakephp/src/Mailer/Message.php```
# Dec 27th 2019, 22:41 ashesh.social working on the above process only @challgren
# Dec 27th 2019, 21:50 challgren Second code block
# Dec 27th 2019, 21:50 challgren https://book.cakephp.org/4/en/core-libraries/email.html#creating-reusable-emails
# Dec 27th 2019, 21:49 challgren use MailerAwareTrait; then $this->getMailer(‘ContactUs’)->send(‘contactUs’, $entity);