Bug #6315

Input fields with a name attribute with more than 64 characters are ignored

Added by Robert Lemke over 9 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
Should have
Category:
Security
Start date:
2010-02-02
Due date:
% Done:

100%

PHP Version:
Has patch:
Complexity:

Description

(by Fabian Guth)

Input fields with a name attribute with more than 64 characters are
ignored.

After hours of digging into the Flow3-Code i realized that its possibly a
wrong PHP setting. Following test case shows, that input fields with long
(more than 64 characters) name attributes are ignored.

I would really appreciate any hints on the bad setting variable!
I searched php.ini and http.conf without success.

Test Case:

 <?php echo print_r($_POST); ?>

<form action= "" method="post">  
 <input type="text"  
name="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"/>
 <input type="text"  
name="bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"/>
 <input type="submit" value="Submit"/>
</form>

Renders following after submit (both fields are filled):

Array
(
   [bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb] => b
)

As a workaround i edited the Token
(F3\FLOW3\Security\Authentication\Token\UsernamePassword) to check for a
short array key. I hope there aren't any side effects.
I know that it's better to subclass it with a changed "updateCredentials"
method to preserve the patch at the next release.

As i use the default Linux PHP Package, i am afraid its a very common
setting.

Associated revisions

Revision 31a541b1 (diff)
Added by Karsten Dambekalns almost 9 years ago

[+BUGFIX] FLOW3 (Security): Shortened some variable names in HTML (input fields with a name longer than 64 characters are ignored in default Suhosin setups), fixes #6315.

Change-Id: Id86ac9938d73dc40e58fae65b2c540e2f2252122

History

#1 Updated by Karsten Dambekalns over 9 years ago

  • Status changed from New to Needs Feedback

Do you have the Suhosin/Hardened PHP patch installed? Check phpinfo() to make sure, please.

#2 Updated by Fabian Guth over 9 years ago

phpinfo() says:
This server is protected with the Suhosin Patch 0.9.8

#3 Updated by Robert Lemke over 9 years ago

  • Status changed from Needs Feedback to Closed

Can't reproduce this behavior on a machine without Suhosin enabled.

#4 Updated by Robert Lemke about 9 years ago

  • Status changed from Closed to Accepted
  • Target version changed from 1.0 alpha 8 to 1.0 alpha 10

#5 Updated by Robert Lemke almost 9 years ago

  • Status changed from Accepted to Needs Feedback
  • Target version changed from 1.0 alpha 10 to 1.0 alpha 11

How can we solve / work around this?

#6 Updated by Karsten Dambekalns almost 9 years ago

  • Status changed from Needs Feedback to Accepted
  • Assignee set to Karsten Dambekalns

To me it seems we should avoid such long names.

While it is not a security risk to have long names, Suhosin will continue to be popular und probably won't change it's defaults. That being said, the 64 char limit is for a variable name, in case of arrays that does not include the indices (the limit for the complete thing is 256). Thus it should be relatively easy to stay below that limit.

#7 Updated by Karsten Dambekalns almost 9 years ago

  • Category changed from MVC to Security

One way for this (special) case of the authentication data: use a nested array instead of the long name. Equally unique and since we circumvent MVC argument handling in this case anyway, we can do this without side effects.

#8 Updated by Karsten Dambekalns almost 9 years ago

  • Status changed from Accepted to Resolved
  • % Done changed from 0 to 100

Applied in changeset r5005.

Also available in: Atom PDF