ZF-12094: Critical injection-possibility with InArray-validation (false positive)
Description
The automatic inArray validator when using multioptions is vulnerable to string-injection if one of the values in the multioption array is 0. With the code below I would be able to inject any string as value due to (int)'string' resulting in 0 and therefore is accepted by in_array.
More info about this issue at PHP.net: http://php.net/manual/en/…
$this->setOptions(array(
'method' => 'post',
),
'elements' => array(
'sex' => array('select', array(
'label' => 'Sex',
'required' => true,
'multioptions' => array(
'' => 'Select',
0 => 'Male',
1 => 'Female',
)
))
)
)
Forcing the values in the haystack to strings fixes this issue (Note: Forcing them in the multioptions array have no effect).
'validators' => array(
array('InArray', false, array(array((string)0, (string)1)))
)
Enabling strict checking will not work as the haystack contains integers while the needle from the POST-data is a string.
'validators' => array(
array('InArray', false, array(array(0, 1), 'strict'))
)
As the browser sends back the POST-data as strings I would recommend to alter Zend_Validate_InArray::isValid() to force the haystack values to be strings.
Comments
Posted by Adam Lundrigan (adamlundrigan) on 2012-06-05T02:16:03.000+0000
Same type of bug as reported in ZF-11812, different location.
What is the best course of action here? Should we modify the InArray validator in the method specified?
Posted by Rob Allen (rob) on 2012-06-13T20:41:26.000+0000
After 1.12 as not sure what the implications of this change are.