Can extra, unneeded $_POST keys harm the system?
开发者_如何学CLets imagine for where are inputs like:
<input name="x" />
<input name="y" />
<input name="z" />
Can there be any harm if user manually, for example, by using FireBug creates more inputs with different names?
I'm asking this because my team yesterday created a rule that you need to manually filter $_POST
array (for example) to be sure that there are only expected keys in it. I, personally, don't see any harm if there would be extra keys like foo
and bar
. They would be ignored, right?
Also, we are using Kohana 3.0 and its ORM. Maybe that's the whole point? Maybe ORM would react different for extra, unneeded keys and, maybe, update unexpected columns in database if 'hacker' guesses the 'wrong' key (so column as well)?
What do you think?
This is a problem in some frameworks like Ruby on Rails and ASP.NET MVC, where it can occur as mass assignment.
Consider a user account model where you have username, password, email and then a boolean flag for whether or not the user is admin. You build a form for allowing self-registration, and because you of course don't want users to allow themself to become admin, you include only the three first fields in your form. However in these frameworks (unless you disable it), any form field with a specific name (regardless of whether or not they came from the actual form) would be assigned. So if the attacker added a field called something like user[admin]=1, that might be assigned by the "magic" backend, and actually have an effect on the data, even though you never explicitely handled that variable.
Erlend is correct in the that if you just chuck $_POST
into ORM then you're likely to run into security problems, but he's wrong about Kohana. With Kohana 3.* onwards the ORM method values()
takes a 2nd argument which is an array of the expected keys.
So, the following example
$user = ORM::factory('user');
$user->values($_POST, array('username', 'password')
$save->save();
Source code for values()
would only use the username and password fields from the array.
If you're using some kind of automation that converts all POST variables into a SQL query there might be something to the claim. I don't know what Kohana does but some frameworks have a save_to_database( $data )
function that picks the variables from $data
that have corresponding fields in the table, so in theory the attacker might be able to save more data to the database than they're supposed to by sending extra keys. (Most frameworks also allow passing an array of allowed fields to the function which prevents this kind of attacks.)
精彩评论