Yii security issue about validators.

repka3 · November 15, 2014, 11:02am

Hi everybody,

consider this simple example popping right now in my mind:

A model ,for example a cactiverecord, who handle a simple table about "Messages".

Messages has, at simplest form,

an ID(int), OWNER_ID(int), a TYPE(int) and a Message (Text).

Type can be 1=System message, 2=user message.

Now , i wish to write rules in model about this attribute, so probably it will look like:


 public function rules()

	{

		return array(	

			array('type', 'numerical', 'integerOnly'=>true,'min'=>1,'max'=>2,),

			array('message','safe'),

			);

	}

I render to user a form with ONLY a textbox about message. I handle the type or id in the get/post request as


parameters.





So controller it's something like:


	public function actionCreate($type)

	{

		//double check if this user can create this Type or even message, role, rbac based, don't care.

		....

		...

		$model=new Messages;

		if(isset($_POST['Messages'])){

			//strip clean & xss clean $_POST['Messages'];

			$model->type=(int)$type;

			$model->attributes=$_POST['Messages'];	

			// if save() blablablabla

		}

	}

			public function actionUpdate($id)

	{

		//double check if this user can modify this id,for example with OWNER_ID in the table or so on.

		....

		...

		$model=$this->loadModel((int)$id);

		

		if(isset($_POST['Messages'])){

			//strip clean & xss clean $_POST['Messages'];

			$model->attributes=$_POST['Messages'];	

			// if save() blablablabla

		}

	}

Ok think about this twice, because if it look, as like me, all legit, you are wrong.

You are in front of a big security issue, cause if i build post by hand and insert type, i can modify

my message type to become a System message.

Why? The answer it’s really simple, cause yii consider safe attributes everything it’s present in the rules

except when you specify ‘unsafe’.

In your wiki you say "deny default logic" and in your code i see:


(CValidator.php)

	 * @var boolean whether attributes listed with this validator

	 * should be considered safe for massive assignment.

	 * Defaults to true.

	 * @since 1.1.4

	 */

	public $safe=true;

Indeed as your logic CSafeValidator.php just does NOTHING. Cause? because just be a present in rules, whatever rule,

the function getSafeAttributeNames() you use in massive assignment, will return you.

I think this is a bad approch to problem, and i know you can blame me about

"why you insert rule of type", i will not even answer to you.

This approch lead in a massive amount of bugged code cause to be sure you have to UNSAFE all attributes.

MY personal solution is:

Change CValidator.php to be public $safe=false;

and change CSafeValidator.php

class CSafeValidator extends CValidator

{

public &#036;safe=true;


..

Now [size=“6”]only SAFE it’s SAFE[/size]. And you have the deny default paradigm.

Just my two cents, thx for attention.

repka3 · November 15, 2014, 12:42pm

No, this is not a solution cause every other validator extending CValidator.php, get safe=false;

You must change behavior of getsafeattributeNames


public function getSafeAttributeNames()

	{

		$attributes=array();

		$unsafe=array();

		foreach($this->getValidators() as $validator)

		{

			/*if(!$validator->safe)

			{

				foreach($validator->attributes as $name)

					$unsafe[]=$name;

			}

			else

			{

				foreach($validator->attributes as $name)

					$attributes[$name]=true;

			}

		}


		foreach($unsafe as $name)

			unset($attributes[$name]);*/

		if($validator->safe){

			foreach($validator->attributes as $name)

					$attributes[$name]=true;

			}		

		}

		return array_keys($attributes);

	}