Input fields with a name attribute with more than 64 characters are ignored
(by Fabian Guth)
Input fields with a name attribute with more than 64 characters are
After hours of digging into the Flow3-Code i realized that its possibly a
wrong PHP setting. Following test case shows, that input fields with long
(more than 64 characters) name attributes are ignored.
I would really appreciate any hints on the bad setting variable!
I searched php.ini and http.conf without success.
<?php echo print_r($_POST); ?> <form action= "" method="post"> <input type="text" name="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"/> <input type="text" name="bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"/> <input type="submit" value="Submit"/> </form>
Renders following after submit (both fields are filled):
Array ( [bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb] => b )
As a workaround i edited the Token
(F3\FLOW3\Security\Authentication\Token\UsernamePassword) to check for a
short array key. I hope there aren't any side effects.
I know that it's better to subclass it with a changed "updateCredentials"
method to preserve the patch at the next release.
As i use the default Linux PHP Package, i am afraid its a very common
#6 Updated by Karsten Dambekalns over 9 years ago
- Status changed from Needs Feedback to Accepted
- Assignee set to Karsten Dambekalns
To me it seems we should avoid such long names.
While it is not a security risk to have long names, Suhosin will continue to be popular und probably won't change it's defaults. That being said, the 64 char limit is for a variable name, in case of arrays that does not include the indices (the limit for the complete thing is 256). Thus it should be relatively easy to stay below that limit.
#7 Updated by Karsten Dambekalns over 9 years ago
- Category changed from MVC to Security
One way for this (special) case of the authentication data: use a nested array instead of the long name. Equally unique and since we circumvent MVC argument handling in this case anyway, we can do this without side effects.