Bug #6315
Input fields with a name attribute with more than 64 characters are ignored
| Status: | Resolved | Start date: | 2010-02-02 | |
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assigned To: | Karsten Dambekalns | % Done: | 100% |
|
| Category: | Security | |||
| Target version: | TYPO3 Flow Base Distribution - 1.0 alpha 11 | |||
| PHP Version: | Complexity: | |||
| Has patch: | Affected Flow version: |
Description
(by Fabian Guth)
Input fields with a name attribute with more than 64 characters are
ignored.
After hours of digging into the Flow3-Code i realized that its possibly a
wrong PHP setting. Following test case shows, that input fields with long
(more than 64 characters) name attributes are ignored.
I would really appreciate any hints on the bad setting variable!
I searched php.ini and http.conf without success.
Test Case:
<?php echo print_r($_POST); ?> <form action= "" method="post"> <input type="text" name="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"/> <input type="text" name="bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"/> <input type="submit" value="Submit"/> </form>
Renders following after submit (both fields are filled):
Array ( [bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb] => b )
As a workaround i edited the Token
(F3\FLOW3\Security\Authentication\Token\UsernamePassword) to check for a
short array key. I hope there aren't any side effects.
I know that it's better to subclass it with a changed "updateCredentials"
method to preserve the patch at the next release.
As i use the default Linux PHP Package, i am afraid its a very common
setting.
Associated revisions
[+BUGFIX] FLOW3 (Security): Shortened some variable names in HTML (input fields with a name longer than 64 characters are ignored in default Suhosin setups), fixes #6315.
Change-Id: Id86ac9938d73dc40e58fae65b2c540e2f2252122
History
#1 Updated by Karsten Dambekalns over 5 years ago
- Status changed from New to Needs Feedback
Do you have the Suhosin/Hardened PHP patch installed? Check phpinfo() to make sure, please.
#2 Updated by Fabian Guth over 5 years ago
phpinfo() says:
This server is protected with the Suhosin Patch 0.9.8
#3 Updated by Robert Lemke over 5 years ago
- Status changed from Needs Feedback to Closed
Can't reproduce this behavior on a machine without Suhosin enabled.
#4 Updated by Robert Lemke about 5 years ago
- Status changed from Closed to Accepted
- Target version changed from 1.0 alpha 8 to 1.0 alpha 10
#5 Updated by Robert Lemke about 5 years ago
- Status changed from Accepted to Needs Feedback
- Target version changed from 1.0 alpha 10 to 1.0 alpha 11
How can we solve / work around this?
#6 Updated by Karsten Dambekalns almost 5 years ago
- Status changed from Needs Feedback to Accepted
- Assigned To set to Karsten Dambekalns
To me it seems we should avoid such long names.
While it is not a security risk to have long names, Suhosin will continue to be popular und probably won't change it's defaults. That being said, the 64 char limit is for a variable name, in case of arrays that does not include the indices (the limit for the complete thing is 256). Thus it should be relatively easy to stay below that limit.
#7 Updated by Karsten Dambekalns almost 5 years ago
- Category changed from MVC to Security
One way for this (special) case of the authentication data: use a nested array instead of the long name. Equally unique and since we circumvent MVC argument handling in this case anyway, we can do this without side effects.
#8 Updated by Karsten Dambekalns almost 5 years ago
- Status changed from Accepted to Resolved
- % Done changed from 0 to 100
Applied in changeset r5005.