ZF-12094: Critical injection-possibility with InArray-validation (false positive)

Issue Type: Bug Created: 2012-03-10T10:05:39.000+0000 Last Updated: 2012-07-20T19:16:41.000+0000 Status: Open Fix version(s): Reporter: Kristofer Karlsson (grizzm0) Assignee: Pádraic Brady (padraic) Tags: - Zend_Form

  • Zend_Validate
  • After1.12.0
  • zf-crteam-review

Related issues: - ZF-11812



The automatic inArray validator when using multioptions is vulnerable to string-injection if one of the values in the multioption array is 0. With the code below I would be able to inject any string as value due to (int)'string' resulting in 0 and therefore is accepted by in_array.

More info about this issue at…

<pre class="highlight">
            'method'  => 'post',
            'elements'    => array(
                'sex' => array('select', array(
                    'label'         => 'Sex',
                    'required'      => true,
                    'multioptions'   => array(
                        ''              => 'Select',
                        0               => 'Male',
                        1               => 'Female',

Forcing the values in the haystack to strings fixes this issue (Note: Forcing them in the multioptions array have no effect).

<pre class="highlight">
                    'validators' => array(
                        array('InArray', false, array(array((string)0, (string)1)))

Enabling strict checking will not work as the haystack contains integers while the needle from the POST-data is a string.

<pre class="highlight">
                    'validators' => array(
                        array('InArray', false, array(array(0, 1), 'strict'))

As the browser sends back the POST-data as strings I would recommend to alter Zend_Validate_InArray::isValid() to force the haystack values to be strings.


Posted by Adam Lundrigan (adamlundrigan) on 2012-06-05T02:16:03.000+0000

Same type of bug as reported in ZF-11812, different location.

What is the best course of action here? Should we modify the InArray validator in the method specified?

Posted by Rob Allen (rob) on 2012-06-13T20:41:26.000+0000

After 1.12 as not sure what the implications of this change are.

Have you found an issue?

See the Overview section for more details.


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.