A simple invalid 2 octet sequence can cause an exception (which then … #29
Conversation
…causes your server to 500), the behavior was detected when working with Zend Form. A change is necessary to prevent routine penetration tests, or user-land attacks from causing critical exceptions. Users shouldn't be able to craft malicious input that causes 500s.
| @@ -6,7 +6,8 @@ All notable changes to this project will be documented in this file, in reverse | |||
|
|
|||
| ### Added | |||
|
|
|||
| - Nothing. | |||
| - Default behavior changed when malformed is pushed into toUtf8. Rather than dumping the bad string in an exception (dangerous behavior), it will return a blank string. | |||
There was a problem hiding this comment.
This is not dangerous behavior: it is documented and expected behavior.
Passing around an empty string when an invalid value to escape is passed in can cause much more serious issues.
| @@ -6,7 +6,8 @@ All notable changes to this project will be documented in this file, in reverse | |||
|
|
|||
| ### Added | |||
|
|
|||
| - Nothing. | |||
| - Default behavior changed when malformed is pushed into toUtf8. Rather than dumping the bad string in an exception (dangerous behavior), it will return a blank string. | |||
| - Boolean 'debug' parameter added as second constructor argument, that preserves the old behavior when set to true. | |||
There was a problem hiding this comment.
No, please remove this. If you want to run an escaper in debug mode, subclass the Escaper and implement something like:
class DebugEscaper extends \Zend\Escaper\Escaper
{
public function escapeHtml($toEscape) { return 'ESCAPED-HTML-START' . $toEscape . 'ESCAPED-HTML-END'; }
}|
@Ocramius For context, please see the related issue in zend-form: I asked @Saeven to open the issue here, because it is applicable, and there's a generalized issue in The fix is needed; the question is whether the approach here is correct, or needs revisions. |
|
@weierophinney we will bring the issue offline first and discuss it. The original issue is clear, the fix is not valid though, and the default behavior is correct, while this particular patch would only provide a new attack surface. Invalid values do need to crash systems by default, as otherwise:
|
|
@Ocramius Just now catching up on the Slack discussion and zend-form discussion; I reacted hastily. |
A change is necessary to prevent routine penetration tests, or user-land attacks from causing critical exceptions. Users shouldn't be able to craft malicious input that causes 500s when using components such as Zend Form.
Did my best to eyeball formatting conventions, phpcs is in a panic with the given config.
Debug added as second arg to ctor; but could separately be moved into (or complemented by) a setDebug method.