15 Jul 08 _ CakePHP 1.2 RC2 + Security Component

By casey
in CakePHP, Casey's Corner
I’ve been wrangling with the Cake’s Security Component for the past day, not having the best time with it. If you’ve been trying to use it, you may have noticed that there seems to be near-total lack of documentation on it. Not cool.
So I was trying to use it to make some simple HTTP Authentication requests for a WebTree site of ours. It turns out that whenever the Security Component is initialized in a controller, it requires that all POST-ed data in that controller be validated through the Security Component. For this to work correctly, and not spit you out into a blank page “black hole,” you have to use the Form Helper for every form that needs to be submitted, making sure to use $form->end().
It looks like the Form Helper builds a Hash number based on the name of the fields included in the form and the Security Salt that you set in the config/core.php.
When the form is submitted, a function, __validatePost(), runs automatically, there is currently no way to turn it off, and tries to make the same hash value as all the fields present in the Controller’s $data variable. If the two hash values are the same, we know that no extra data is being submitted directly to the controller, and we proceed with the normal course of things. If they don’t match, we trigger the Black Hole callback function, and go down that route.
Except that in the current RC2 release (7296), there is a bug in the Security Component that will ensure that these two hashes will never be equal.
The problem is in line 662 of /cake/libs/controller/components/security.php:
$check = md5(urlencode(Security::hash(serialize($field) . Configure::read('Security.salt'))));
Should be:
$check = urlencode(Security::hash(serialize($field) . Configure::read('Security.salt')));
Take out the md5() function. Form Helper’s security function that generates the form’s hash value does not include the extra md5 hashing function. It looks like this was fixed in the nightly build.
This will alleviate some of your potential issues using the Security Component. However, if you just want to use some aspects of the component, such as HTTP Auth, there is no way to disable the POST validation, much to my chagrin. Maybe it will change in the future.









July 18th, 2008 at 4:10 pm
I’ve got this same problem. As soon as I add Security to the component array, I get the blank page back when trying to add or update. I’m doing this in my AppController. I want to use requireSecure so that all my pages have to use SSL. I’m using a newer version of Cake and I verified that the line of code you specified has the required change and yet I still have this problem.
July 21st, 2008 at 1:36 pm
One thing you can do to try to trac down this problem is checking that the data submitted your controller is the same as the data seen by your form helper.
Also, make sure that you’re not using $form->secure(), even though you think you would use it. You should only have one [__Token] and one [__key] field in your HTML.
At this point, though, I’ve thought about copying the Security Component from the cake core into my app/controllers/components, and removing the whole amount of code dedicated to the posted data check. That way I can get the benefits of all the other stuff (like forcing SSL) without that annoying check.
August 11th, 2008 at 9:44 pm
Casey,
I’m having a similar issue, however, the trigger now seems to be using the form helpers input on multiple checkbox’s. My best guess is that the hash isn’t taking into account fields that are using the data[Model][fieldname][] syntax. Unfortunately, I haven’t been able to _fix_ this yet.
There does seem to be a bug for this:
https://trac.cakephp.org/ticket/5129#comment:description
I hope this gets fixed very soon. It’s kill me for an element of a project i’m working on.
If you have any more insights, i’d be happy to hear.
August 29th, 2008 at 5:11 am
I can confirm this bug.
Took me a while till i found the reason (this post) and by debugging it manually (what a pain).
But i have to report that the fix posted here doesn’t work. In my revision and in the CakePHP trunk the md5() function isn’t called. So nothing to remove.
I was unable to fix it myself and so i am too hoping that the mentioned ticket is closed soon. This issue makes the whole Component useless.
BTW. i encountered this problem because i had radio buttons in my form. Probably really “just” a traversing issue.
December 30th, 2008 at 9:48 pm
I was having terrible blackhole problem for hours — every AJAX form submission was being invalidated. Your post saved me (using echo $form->end(); to end the form!). So thanks. A lot.