# |
Jun 21st 2021, 13:59 |
slackebot1 |
illegal urls. |
# |
Jun 21st 2021, 13:59 |
a.vanniel |
@ndm really? because I manually changed redirect for the Authentication middleware plugin in the login page and after logging in, i was redirected to the google search engine landing page... Also, I am looking to do this in a place somewhere other then login ... it was just an example ... not meant to say there is a bug or security hole in there... I just was trying to figure out if and how that middleware handles external |
# |
Jun 21st 2021, 13:56 |
ndm |
Sorry, ment to tag @a.vanniel |
# |
Jun 21st 2021, 13:55 |
ndm |
@alexdd55976 Use the authentication component, `getLoginRedirect()` will only return relative URLs, if someone crams in an absolute URL (internal or external), you'd receive `null`. |
# |
Jun 21st 2021, 13:07 |
a.vanniel |
for now I did what you suggested regarding the host by the way... checking if the host in the redirect url (full) matches the current host... if not, it most likely isn't internal |
# |
Jun 21st 2021, 13:06 |
a.vanniel |
It would be great to have an isInternal method inside Router... I don't think many people actually need this though.. I will open an issue on github. see where it goes. good luck on your 2nd shot... I need to wait until 12th of juli for the 2nd one. |
# |
Jun 21st 2021, 13:01 |
kevin.pfeifer |
I would suggest you create an issue in the cakephp/cakephp repo. I dont know it/cant check right since im on my way to get my 2. vacine shot :) Or someone else can answer that ^^ |
# |
Jun 21st 2021, 12:22 |
a.vanniel |
What I don't really get, but there might some logic to this, is why the Google website counts as an existing route....? |
# |
Jun 21st 2021, 12:17 |
a.vanniel |
would normalize be able to help me out here? |
# |
Jun 21st 2021, 12:16 |
slackebot1 |
would like to prevent manipulation of the redirect param so that someone is not redirected anywhere externally after payment is done and after a user is coming back... the url is stored in the database for several reasons, one of which is because the payment provider is a pain in the behind about return urls. |
# |
Jun 21st 2021, 12:16 |
a.vanniel |
it's not that I would want this to be added to the middleware per se... it was more of a thing that I am using similar logic (redirect param) and after doing the thing, redirect the user to the redirect param and when I looked at the Authentication middleware I did not see any security in place to prevent someone/something from redirecting someone to something externally after a login... I am doing this after a payment and I |
# |
Jun 21st 2021, 12:11 |
kevin.pfeifer |
we could make that a configurable option |
# |
Jun 21st 2021, 12:11 |
kevin.pfeifer |
then that would have to be added to this function i guess https://github.com/cakephp/authentication/blob/de989c759937406f514a5a31313b36578005b07c/src/AuthenticationService.php#L360 |
# |
Jun 21st 2021, 12:09 |
a.vanniel |
maybe I am just making things more complex than need be but it feels like a securiy hole in the location I have this ?redirect= param... |
# |
Jun 21st 2021, 12:08 |
a.vanniel |
but that is when a user is about to or just has been redirected, right? |
# |
Jun 21st 2021, 12:07 |
kevin.pfeifer |
you could use https://github.com/cakephp/cakephp/blob/master/src/Routing/Router.php#L225 and catch the MissingRouteException |
# |
Jun 21st 2021, 12:07 |
a.vanniel |
alright... thing is that with the Authentication middleware, relative redirects are used, to make sure the param does not get too large I guess... |
# |
Jun 21st 2021, 12:06 |
a.vanniel |
I thought I'd take a look at Router::routeExists() but that actually returns true for external URLs. ... |
# |
Jun 21st 2021, 12:06 |
kevin.pfeifer |
to be fair, all the redirect param logic I know always uses absolute urls |
# |
Jun 21st 2021, 12:04 |
kevin.pfeifer |
well if you force your redirect param to be absoulte all the time then you can check that pretty easily with a parse_url |
# |
Jun 21st 2021, 11:59 |
a.vanniel |
I though I would check how the Authentication middleware handles this... but when you open a login screen, change the ?redirect= to something else and log in, you are then redirected to the external page I entered in ?redirect=... I had expected this would really force redirect to be local/matching route but it doesn't |
# |
Jun 21st 2021, 11:57 |
a.vanniel |
the latter might not work when a relative path unless the Router first qualifies the use given url ofcourse |
# |
Jun 21st 2021, 11:57 |
slackebot1 |
matches a route" and the "check for host" method... |
# |
Jun 21st 2021, 11:57 |
a.vanniel |
Basically I want to prevent someone (or something) from entering https://www.google.com in the ?redirect= , so that when they would hit refresh and after the form has been posted they would not be transported to https://www.google.com ... and where this google url is set, any other malicious url could be set and you could replace the user by any malicious script I guess. So I am conflicted between the "check if the url |
# |
Jun 21st 2021, 11:53 |
kevin.pfeifer |
so you want to know if a given URL matches any route in your app? Or are you happy if you check the host part of the url? |
# |
Jun 21st 2021, 11:47 |
slackebot1 |
or /pages/display/home to be returned. Is this as all possible? |
# |
Jun 21st 2021, 11:47 |
a.vanniel |
Does anybody know if there is a way to filter a user supplied url? Basically what I would like to do is populate a query variable and I want to sanitize this variable so it does not contain an external url... I thought passing something to Router::url() would solve my problems but when I pass somethign like https://www.google.com to Router::url() I am just getting the same url back, instead I would have liked something like / |
# |
Jun 21st 2021, 10:19 |
kevin.pfeifer |
@alamnaryab what are you trying to accomplish with that logic? As far as I know the `$connection->rollback();` only works for manually executed queries like ```$connection->execute('UPDATE articles SET published = ? WHERE id = ?', [true, 2]);``` If you go through the ORM with `$connection->Tags->save($tag)` you can’t rollback from that. But again, what are you trying to accomplish? |
# |
Jun 21st 2021, 09:16 |
kupe3b |
thansk @erwane |
# |
Jun 21st 2021, 07:59 |
erwane |
https://book.cakephp.org/4/en/views/helpers/form.html#creating-select-pickers |
# |
Jun 21st 2021, 07:59 |
erwane |
so `<?= $this->Form->control('fieldname', ['multiple' => 'checkbox', 'options' => $selectOptions]) ?>` |
# |
Jun 21st 2021, 07:58 |
erwane |
```Attributes for Select Pickers 'multiple' - If set to true allows multiple selections in the select picker. If set to 'checkbox', multiple checkboxes will be created instead. Defaults to null.``` |
# |
Jun 21st 2021, 07:38 |
kupe3b |
hello, when baking views, in many-to-many relations a <select> tag is generated with multi-selection enabled. Is there an easy way to make it generate list of checkboxes instead? |
# |
Jun 21st 2021, 06:43 |
erwane |
`displayField` ? |
# |
Jun 21st 2021, 06:40 |
paolo.bragagni |
hi I'm trying to get in form.twig the name of the 'title' in associated table. I mean the name of the default field used for 'title'. |
# |
Jun 21st 2021, 06:01 |
slackebot1 |
$connection->rollback();//*********** this rollback is not working record is saved in DB $this->Flash->success(__('The tag has been saved.')); return $this->redirect(['action' => 'index']); } $this->Flash->error(__('The tag could not be saved. Please, try again.')); }``` |
# |
Jun 21st 2021, 06:01 |
alamnaryab |
Good morning having issue with transactions https://book.cakephp.org/4/en/orm/database-basics.html#using-transactions ``` if ($this->request->is('post')) { $connection = ConnectionManager::get('default'); $connection->begin(); $tag = $connection->Tags->patchEntity($tag, $this->request->getData()); if ($connection->Tags->save($tag)) { |
# |
Jun 20th 2021, 17:13 |
ndm |
you're welcome |
# |
Jun 20th 2021, 17:13 |
amayer |
Thanks for pointing me down the right path @ndm! |
# |
Jun 20th 2021, 17:12 |
amayer |
Looks like `$config = ConnectionManager::getConfig('default'));` is what I was looking for! |
# |
Jun 20th 2021, 17:00 |
amayer |
I'll give the ConnectionManager thing a try. |