CakePHP: the rapid development php framework: CakeBot

Log message #976829

#	At	Username	Text
#	Aug 21st 2009, 16:44	kiger	So I tested out some injection on Model::save() and found this out ;(
#	Aug 21st 2009, 16:43	kiger	I was fooling with prepared statements using $this->query() last night (thanks for the patch btw markstory; it really kicks ass) but was curious about switching over to standard $this->save() and $this->updateAll(). I found it interesting that you cannot use prepared statements with updateAll() though which makes it very difficult to securely use; so I looked at what Model::save() does, but it just passes the stuff to update().
#	Aug 21st 2009, 16:42	proloser	hmm
#	Aug 21st 2009, 16:40	kiger	because the '--' comments everything else out afterwords (e.g., the WHERE id = 5)
#	Aug 21st 2009, 16:40	kiger	Here is the string I tried: $this->save(array('User'=>array('username'=>'test --')), false) which resulted in everyone's username being changed to 'test'
#	Aug 21st 2009, 16:39	markstory	updateAll is supposed to.
#	Aug 21st 2009, 16:39	kiger	well updateAll() clearly does, but doing an update through save() does too
#	Aug 21st 2009, 16:39	kiger	So I do $this->User->id = $userId
#	Aug 21st 2009, 16:39	markstory	so you're saying all update commands allow sql injection?
#	Aug 21st 2009, 16:38	kiger	I allow users to edit their account on my box
#	Aug 21st 2009, 16:38	markstory	ok
#	Aug 21st 2009, 16:38	kiger	[18:04] <kiger> $success = (bool)$db->update($this, $fields, $values);
#	Aug 21st 2009, 16:38	kiger	[18:04] <kiger> check line 1238 in the latest svn of model.php
#	Aug 21st 2009, 16:37	markstory	and should escape fields.
#	Aug 21st 2009, 16:37	markstory	Model::save() doesn't use updateAll
#	Aug 21st 2009, 16:35	kiger	But I never realized that Model::save() does not escape stuff either when you set Model->id because it will also use update.
#	Aug 21st 2009, 16:34	kiger	Basically, I didn't know that updateAll() doesn't escape stuff; the docs say it doesn't so no problem
#	Aug 21st 2009, 16:32	kiger	Should I mention it in here or does someone want me to explain in a pm?
#	Aug 21st 2009, 16:32	kiger	I think, and of course I'm probably wrong, I found a pretty big hole in cake regarding security that maybe many bakers don't know about?
#	Aug 18th 2009, 10:24	kuja	Ouch :\|
#	Aug 17th 2009, 12:53	ProLoser\|Work1	!log
#	Aug 16th 2009, 19:30	ProLoser	!seen techno-dude
#	Aug 16th 2009, 18:11	proloser	!seen ad7six
#	Aug 15th 2009, 15:56	sky_l3ppard	hi poLK, i fixed the article, please take a look, when you have time, thanks
#	Aug 15th 2009, 06:36	ADmad	i kinda got lost what was your take on this ?
#	Aug 15th 2009, 06:36	alkemann	well at least he has more content than the other one, but i must stick to our discussion of yesterday
#	Aug 15th 2009, 06:34	ADmad	ya
#	Aug 15th 2009, 06:34	alkemann	oh by Jon
#	Aug 15th 2009, 06:34	ADmad	yup suddenly people are too interested in that topic :)
#	Aug 15th 2009, 06:33	alkemann	another one?
#	Aug 15th 2009, 06:31	ADmad	alkemann: you checked this other canonical helper http://bakery.cakephp.org/articles/view/canonical-helper ?
#	Aug 14th 2009, 16:29	markstory	plus you can use shouty <HTML>
#	Aug 14th 2009, 16:29	alkemann	many smarter and more versed in the issue than me has written volumes about it on the web, that im sure is just a google away if you are really interested
#	Aug 14th 2009, 16:27	ADmad	and you want html4strict becuase ?
#	Aug 14th 2009, 16:27	alkemann	what you "like" is not relevant to the issue
#	Aug 14th 2009, 16:26	ADmad	whats bad about prefering stuff like lowercase tagnames and attributes, tags closing with /> etc
#	Aug 14th 2009, 16:24	alkemann	a lot of people use bad tools. because they like them or are used to them. thats fine. tool makers should make good tools though
#	Aug 14th 2009, 16:22	markstory	most do
#	Aug 14th 2009, 16:21	ADmad	i just go with 1.0
#	Aug 14th 2009, 16:20	markstory	not like xhtml 1.1 ever worked.
#	Aug 14th 2009, 16:20	ADmad	until that new road is fully paved and ready to tread i will stick to my dead end