[dev] horde_form patch
Chuck Hagenbuch
chuck at horde.org
Fri Jan 17 00:09:52 PST 2003
Quoting Marko <marko at oblo.com>:
> the idea is to fix the lack of cgi sending of the checkbox fields by
> checking against what the form class should have set (to avoid having a
> large number of hidden fields, potential security risk?)
There is no potential security risk. Please, please, please try and think
through these things before crying wolf.
Someone trying to mess with form data this way has 2 options:
1. Claim that a variable should have been that that isn't (of course, they
could also just add this variable). Result: the variable (if it is ever
tested for - unlikely, if it wasn't supposed to be there) gets a null value.
a. null values are acceptable for that variable - well, then it's accepted
as a null value, but the user could have entered that anyway.
b. null values are not acceptable - form is marked as invalid.
2. Remove a hidden variable so that a form variable does not show up in
_setvars, and effectively disappears. Of course, they could remove form
values if they're messing with the form this way anyway.
a. The variable is not a checkbox or select multiple, and so it shows up in
the $_GET or $_POST data anyways. Result - the variable is validated
like any input.
b. The script thinks the variable wasn't in the form. It gets a null value,
or possibly the default value for the form. Result - null value is
either accepted or form is invalid, depending on validation; or, default
value is used (form being valid unless other vars are wrong) and the
attacker has managed to create perfectly valid (though perhaps
non-sensical or "wrong") data.
Basically - since all validation is server-side, the best you can do is what
you can do through the form itself anyways.
-chuck
--
Charles Hagenbuch, <chuck at horde.org>
must ... find ... acorns ... *thud*
More information about the dev
mailing list