Post Support For Action Parameter Binding


(Nicoassink) #1

Action Parameter Binding as implemented in CInlineAction currently only supports $_GET parameters, so parameters from POST requests won’t be bound.

If CInlineAction would use CHttpRequest->getParam($name) instead of $_GET[$name]

in the run() method, it would support Action Parameter Binding in both GET and POST requests.

I would prefer that behavior.


(Qiang Xue) #2

Please also see this changeset which allows easier extension of CInlineAction: http://code.google.com/p/yii/source/detail?r=2888#


(Will Shaver) #3

Why was it set to _GET instead of _REQUEST in the first place? Is there some security thing that I’m not understanding? (Or CHttpRequest->getParam($name))


(Alexander Makarov) #4

$_REQUEST includes $_GET, $_POST… and $_COOKIE. So yes, it’s security thing: malicious user can override your variables by setting a cookie with the same name as your $_GET or $_POST parameter.


(Rpkamp) #5

_REQUEST is evil and should never have been in the language in the first place. It serves no useful purpose whatsoever (unless you consider making things more ambiguous and less secure useful).


(Helmut Messerer) #6

since version 1.1.7 this is now done via overriding getActionParams() from CController.

e.g. put this in components/Controller.php




public function getActionParams() { return array_merge($_GET, $_POST); }



to have both GET and POST parameters bind to action parameters.


(Rpkamp) #7

Security leaks FTW ! :blink:

There is a reason register_globals is deprecated; don’t simulate it!


(Alexander Makarov) #8

ScallioXTX, can you provide an example of why this is the security leak?


(Rpkamp) #9

It may not be a very good example, but merging these two arrays makes it very easier to try and brute force stuff, as you could put the username and password in the URL and keep blasting. Creating POST requests is a little harder.

Plus I guess I’m not a fan of not knowing precisely where all my variables are coming from. It feels nasty.


(Alexander Makarov) #10

ScallioXTX

Creating POST requests isn’t harder at all. Ones who’re breaking our apps are sometimes very clever guys.


(Wisp) #11

POST params should only be used to post data to the server, not to route a request. So the current behaviour is fine.


(Benjamin Woester) #12

Just rethinking this… Since you validate input before using it, does it really matter from which source it comes? I think I understand the different purposes of GET and POST data, but should our actions have to deal with that?


(Benjamin Woester) #13

Just for everyone who’s interested in this feature request: Quite some time ago, I wrote a filter that allows pretty flexible configuration of action parameters. Have a look here: https://github.com/bwoester/yii-action-param-filter