search

zendframework / zend-validator

Validator component from Zend Framework
BSD 3-Clause "New" or "Revised" License
181 stars 136 forks source link

CSRF shouldn't throw PHP errors when it receives non-string input #212

Closed Saeven closed 6 years ago

Saeven commented 6 years ago

The CSRF is a bit naive, assuming that it is receiving a string, and not an array. Most penetration tests start with malformed input, and arrays cause this validator to throw an Array to string conversion error.

Reproducing the problem is simple. Craft a form that includes a CSRF Filter, and modify your post to send CSRF as an array. e.g.,

POST /login HTTP/1.1 Content-Length: 142 Content-Type: application/x-www-form-urlencoded Referer: http://foo.com Cookie: PHPSESSID=s3r0icn96iqstvsrpkae3n2sta; lastRoute=register; locale=en_US; lastPageVisited=http://foo.com/login; __cfduid=d815a2363ab50c616e80627e0ca5834a81516720789 Host: foo.com
Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept: */* axis=1&csrf[]=576ae4642376a2904866a504f395c75ab04205df5b1df8e0bbd999f6e6746c73&email=sample%40email.tst&password=g00dPa%24%24w0rD&remember=on

The CSRF filter should report a validation failure when an array is pushed in, and not crap out.

Ocramius commented 6 years ago

Test case still required

Marco Pivetta

http://twitter.com/Ocramius

http://ocramius.github.com/

On Tue, Jan 23, 2018 at 5:44 PM, Alexandre Lemaire <notifications@github.com

wrote:

The CSRF is a bit naive, assuming that it is receiving a string, and not an array. Most penetration tests start with malformed input, and arrays cause this validator to throw an Array to string conversion error.

Reproducing the problem is simple. Craft a form that includes a CSRF Filter, and modify your post to send CSRF as an array. e.g.,

POST /login HTTP/1.1 Content-Length: 142 Content-Type: application/x-www-form-urlencoded Referer: http://foo.com Cookie: PHPSESSID=s3r0icn96iqstvsrpkae3n2sta; lastRoute=register; locale=en_US; lastPageVisited=http://foo.com/login; __cfduid=d815a2363ab50c616e80627e0ca5834a81516720789 Host: foo.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept: / axis=1&csrf[]=576ae4642376a2904866a504f395c75ab04205df5b1df8e0bbd999f6e6746c73&email=sample%40email.tst&password=g00dPa%24%24w0rD&remember=on

The CSRF filter should report a validation failure when an array is pushed in, and not crap out.

You can view, comment on, or merge this pull request online at:

https://github.com/zendframework/zend-validator/pull/212 Commit Summary

  • Update Csrf.php

File Changes

Patch Links:

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/zendframework/zend-validator/pull/212, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJakKhcwPObFm1cITQK_2emchmpFaaxks5tNgyDgaJpZM4Rp9HR .

Saeven commented 6 years ago

Yep sorry, forgot to check it in. Done.

Saeven commented 6 years ago

Hm, some tests in this branch (untouched) were failing already. Need fixing? Timezone tests.

weierophinney commented 6 years ago

Thanks, @Saeven!