search

tingobol / gii-template-collection

Automatically exported from code.google.com/p/gii-template-collection
0 stars 0 forks source link

[TODO] Security issue #11

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Hello,

This ticket is just an opinion about the TODO item in todo.txt
"Investigate whether or not the usage of POST inside Crud Controller's
actionDelete() is correct, or if it should be fetched from the GET
parameters instead."

I think that commiting any admin action via GET is a security risk.
Imagine if the user has an auth cookie and was redirected or clicked
on a link?
If you check out the other actions, they all make changes just in
POSTs, the only thing they do in a GET is to show a form.
The only difference is that the delete action does not have a form,
then does not need a GET at all.

Even if restricting admin commit actions to a POST does not solve
all security problems, it is undoubtedly safer than a GET.

See http://www.yiiframework.com/doc/guide/topics.security item
"Cross-site Request Forgery Prevention".

Original issue reported on code.google.com by rodrigo.coelho@gmail.com on 2 Sep 2010 at 12:00

GoogleCodeExporter commented 9 years ago 
Will be fixed by removing the line in todo.txt file.

Original comment by rodrigo.coelho@gmail.com on 8 Sep 2010 at 9:40

GoogleCodeExporter commented 9 years ago 
This issue was closed by revision r100.

Original comment by rodrigo.coelho@gmail.com on 8 Sep 2010 at 9:41