Issue Type: Bug Created: 2012-03-10T10:05:39.000+0000 Last Updated: 2012-07-20T19:16:41.000+0000 Status: Open Fix version(s): Reporter: Kristofer Karlsson (grizzm0) Assignee: Pádraic Brady (padraic) Tags: - Zend_Form
Related issues: - ZF-11812
The automatic inArray validator when using multioptions is vulnerable to string-injection if one of the values in the multioption array is 0. With the code below I would be able to inject any string as value due to (int)'string' resulting in 0 and therefore is accepted by in_array.
More info about this issue at PHP.net: http://php.net/manual/en/…
<pre class="highlight"> $this->setOptions(array( 'method' => 'post', ), 'elements' => array( 'sex' => array('select', array( 'label' => 'Sex', 'required' => true, 'multioptions' => array( '' => 'Select', 0 => 'Male', 1 => 'Female', ) )) ) )
Forcing the values in the haystack to strings fixes this issue (Note: Forcing them in the multioptions array have no effect).
<pre class="highlight"> 'validators' => array( array('InArray', false, array(array((string)0, (string)1))) )
Enabling strict checking will not work as the haystack contains integers while the needle from the POST-data is a string.
<pre class="highlight"> 'validators' => array( array('InArray', false, array(array(0, 1), 'strict')) )
As the browser sends back the POST-data as strings I would recommend to alter Zend_Validate_InArray::isValid() to force the haystack values to be strings.
Posted by Adam Lundrigan (adamlundrigan) on 2012-06-05T02:16:03.000+0000
Same type of bug as reported in ZF-11812, different location.
What is the best course of action here? Should we modify the InArray validator in the method specified?
Posted by Rob Allen (rob) on 2012-06-13T20:41:26.000+0000
After 1.12 as not sure what the implications of this change are.
Have you found an issue?
See the Overview section for more details.