[dev] horde_form patch

Marko marko at oblo.com
Fri Jan 17 05:19:28 PST 2003


thanks, that helps clarify things...

m.


Quoting Chuck Hagenbuch <chuck at horde.org>:

> Quoting Marko <marko at oblo.com>:
> 
> > the idea is to fix the lack of cgi sending of the checkbox fields by
> > checking against what the form class should have set (to avoid having a
> > large number of hidden fields, potential security risk?)
> 
> There is no potential security risk. Please, please, please try and think
> through these things before crying wolf.
> 
> Someone trying to mess with form data this way has 2 options:
> 
> 1. Claim that a variable should have been that that isn't (of course, they
> could also just add this variable). Result: the variable (if it is ever
> tested for - unlikely, if it wasn't supposed to be there) gets a null value.
> 
>  a. null values are acceptable for that variable - well, then it's accepted
>     as a null value, but the user could have entered that anyway.
>  b. null values are not acceptable - form is marked as invalid.
> 
> 2. Remove a hidden variable so that a form variable does not show up in
> _setvars, and effectively disappears. Of course, they could remove form
> values if they're messing with the form this way anyway.
> 
>  a. The variable is not a checkbox or select multiple, and so it shows up in
>     the $_GET or $_POST data anyways. Result - the variable is validated
>     like any input.
>  b. The script thinks the variable wasn't in the form. It gets a null value,
>     or possibly the default value for the form. Result - null value is
>     either accepted or form is invalid, depending on validation; or, default
>     value is used (form being valid unless other vars are wrong) and the
>     attacker has managed to create perfectly valid (though perhaps
>     non-sensical or "wrong") data.
> 
> Basically - since all validation is server-side, the best you can do is what
> you can do through the form itself anyways.
> 
> -chuck
> 
> --
> Charles Hagenbuch, <chuck at horde.org>
> must ... find ... acorns ... *thud*
> 
> --
> Horde developers mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: dev-unsubscribe at lists.horde.org
> 




More information about the dev mailing list