Development

#466 (Changing case of a URL allows bypassing of validation rules.)

You must first sign up to be able to contribute.

Ticket #466 (closed defect: fixed)

Opened 7 years ago

Last modified 7 years ago

Changing case of a URL allows bypassing of validation rules.

Reported by: pookey@pookey.co.uk Assigned to:
Priority: critical Milestone: 0.6.3
Component: Version:
Keywords: Cc:
Qualification:

Description

http://www.symfony-project.com/forum/index.php?t=rview&goto=5461

full details above.

Change History

04/26/06 13:16:36 changed by fabien

  • milestone set to 0.6.3.

05/24/06 17:51:13 changed by bcaspe

This also allows for bypassing of security (credential checking) rules. The basicsecurityfilter is not even loaded if the corresponding yml file isn't found.

05/24/06 17:52:35 changed by bcaspe

I should say that because the route wasn't predefined, the router set a default /:module/:action route.

05/24/06 18:32:21 changed by bcaspe

For the security.yml, I solved it by adding the following to sfSecurityConfigHandler.class.php right before the retval is assigned.: 

//change all of the keys to lowercase
$myConfig = array_change_key_case($myConfig);

and then in the sfAction.class.php in the isSecure function: 

public function isSecure()
  { 
    $actionName = strtolower($this->getActionName());
    if (isset($this->security[$actionName]['is_secure']))
    {
      return $this->security[$actionName]['is_secure'];
    }
...

06/16/06 09:46:47 changed by fabien

  • milestone changed from 0.6.3 to 1.0.0.

06/16/06 09:46:48 changed by fabien

  • milestone changed from 0.6.4 to 0.6.3.

06/21/06 12:55:23 changed by fabien

  • status changed from new to closed.
  • resolution set to fixed.

in r1498

WARNING: may break BC

Actions in the routing are now case sensitive. If you have a page with an 'index' action name, your action must be named 'executeIndex' ('fooBar' => 'executeFooBar').