I am trying to make a backend with Zend, I was wondering if there is any way to make it more secure, any special framework to use? I read I could use :Is there something like Acegi for PHP?
how secure is this? I have used spring security before, and it always worked great, is there something similar to work on zend? are those options ok?
I also checked magento, and for example, urls are like this
index/key/8555b140ead18e6c004037e5c82d6478/
that is the url if I want to enter to the catalogo, and so on, they only change the key instead change the url for a controller name, that key is a route for security reasons? or is dynamically created by the framework? (as far as I know , they use Zend).
Thanks.
That key is generated depending on the route you are accessing and a random string that changes each time the session is restarted.
So for each login you get a different session key.
The downside of this approach is that you can't give to someone else an admin url and tell him "Hey! look here", because they session key is different.
If you want to check how this feature is implemented, take a look at the following code in Mage_Adminhtml_Model_Url::getUrl():
$_route = $this->getRouteName() ? $this->getRouteName() : '*';
$_controller = $this->getControllerName() ? $this->getControllerName() : $this->getDefaultControllerName();
$_action = $this->getActionName() ? $this->getActionName() : $this->getDefaultActionName();
if ($cacheSecretKey) {
$secret = array(self::SECRET_KEY_PARAM_NAME => "\${$_controller}/{$_action}\$");
}
else {
$secret = array(self::SECRET_KEY_PARAM_NAME => $this->getSecretKey($_controller, $_action));
}
This is the code that generates the secret key. Going deeper in getSecretKey method you will see:
public function getSecretKey($controller = null, $action = null)
{
$salt = Mage::getSingleton('core/session')->getFormKey();
$p = explode('/', trim($this->getRequest()->getOriginalPathInfo(), '/'));
if (!$controller) {
$controller = !empty($p[1]) ? $p[1] : $this->getRequest()->getControllerName();
}
if (!$action) {
$action = !empty($p[2]) ? $p[2] : $this->getRequest()->getActionName();
}
$secret = $controller . $action . $salt;
return Mage::helper('core')->getHash($secret);
}
So the secret key is a hash build from the controller name, the action name and a $salt generated this way Mage::getSingleton('core/session')->getFormKey();
The getFormKey method looks like this (one value per session):
public function getFormKey()
{
if (!$this->getData('_form_key')) {
$this->setData('_form_key', Mage::helper('core')->getRandomString(16));
}
return $this->getData('_form_key');
}
Related
I have been working around Bit-Wasp/bitcoin-php library for a while now and I encountered problems with it that I cannot resolve.
I have this as my code:
public function bitcoinWalletFromPublicKey($key, $index) {
$adapter = Bitcoin::getEcAdapter();
if (config('market.btc_network') == "mainnet") {
$btc = NetworkFactory::bitcoin();
$bitcoinPrefixes = new BitcoinRegistry();
} else {
$btc = NetworkFactory::bitcoinTestnet();
$bitcoinPrefixes = new BitcoinTestnetRegistry();
}
$slip132 = new Slip132(new KeyToScriptHelper($adapter));
$pubkeytype=substr($key, 0, 4);
if ($pubkeytype=='xpub' || $pubkeytype =='tpub') $pubPrefix = $slip132->p2pkh($bitcoinPrefixes);
if ($pubkeytype=='ypub') $pubPrefix = $slip132->p2shP2wpkh($bitcoinPrefixes);
if ($pubkeytype=='zpub' || $pubkeytype =='vpub') $pubPrefix = $slip132->p2wpkh($bitcoinPrefixes);
$config = new GlobalPrefixConfig([
new NetworkConfig($btc, [$pubPrefix])
]);
$serializer = new Base58ExtendedKeySerializer(
new ExtendedKeySerializer($adapter, $config)
);
$path = '0/' . $index;
$fkey = $serializer->parse($btc, $key);
$child_key = $fkey->derivePath($path);
#$account0Key = $child_key->derivePath("84'/0'/0'");
#$child_key = $fkey->derivePath("0/1");
//dd($child_key->getAddress(new AddressCreator())->getAddress());
return $child_key->getAddress(new AddressCreator())->getAddress();
}
I have two problems with this code:
Problem #1
On the first few lines of the code you will see that I used an If statement to check what network should it use. On my test im using testnet network and I'm sure as well that the code on my If / else { # code } works and it uses NetworkFactory::bitcoinTestnet() and new BitcoinTestnetRegistry() properly;
$key variable represents the Master Public Key of my user from Electrum wallet or whatever with a format of (xpub#########################/vpub#########################) or in my case since its on testnet it uses tpub######################### format. However, it returns an address with a format of bc#########, this means that its passing on mainnet network wherein it should be on testnet network.
Problem #2
On lower part of my code, I'm using $fkey = $serializer->parse($btc, $key); and $child_key = $fkey->derivePath($path) wherein $path = '0/' $index. $index here are just random numbers. It can be 0/1 or 0/99 or whatever 0/random.
Problem here is that somehow related to Problem #1, after it generates the wrong address, when I try to use this address for transaction my rpc returns an invalid address Error. As you can see as well I have a commented code $account0Key = $child_key->derivePath("84'/0'/0'"); wherein i got an error that it needs a private key instead of a public one. Now, my concern is that I do not want the users of the system i'm making to put their private keys whatsoever as it will might just compromise their wallets.
Basically, What I want to achieve using with this library from BitWasp is when a user put in their master public key from their wallet, my system would be able to then generate an address to be used for a btc transaction. Please help.
Passing the network inside the getAddress() method works
return $child_key->getAddress(new AddressCreator())->getAddress($btc);
I'm experimenting with php mvc and I'm stucked with the following issue. My request and router classes are really simple and I would like to extend theme to can handle controller calls from sub folders and to controller classes functions should be able to pick up url variables send it threw get and post.
my router looks as it follows
class Router{
public static function route(Request $request){
$controller = $request->getController().'Controller';
$method = $request->getMethod();
$args = $request->getArgs();
$controllerFile = __SITE_PATH.'/controllers/'.$controller.'.php';
if(is_readable($controllerFile)){
require_once $controllerFile;
$controller = new $controller;
if(!empty($args)){
call_user_func_array(array($controller,$method),$args);
}else{
call_user_func(array($controller,$method));
}
return;
}
throw new Exception('404 - '.$request->getController().'--Controller not found');
}
}
and Request class
private $_controller;
private $_method;
private $_args;
public function __construct(){
$parts = explode('/',$_SERVER['REQUEST_URI']);
$this->_controller = ($c = array_shift($parts))? $c: 'index';
$this->_method = ($c = array_shift($parts))? $c: 'index';
$this->_args = (isset($parts[0])) ? $parts : array();
}
public function getController(){
return $this->_controller;
}
public function getMethod(){
return $this->_method;
}
public function getArgs(){
return $this->_args;
}
}
The problem is:when I try to send threw ajax, variables to a controller method this are not recognized because of its url structure.
For example
index/ajax?mod_title=shop+marks&domain=example
is accepted just if it look
index/ajax/shop+mark/example
Your code contains what is known as an LFI vulnerability and is dangerous in its current state.
You should whitelist your what can be used as your $controller, as otherwise an attacker could try to specify something using NUL bytes and possibly going up a directory to include files that SHOULD NOT be ever included, such as /etc/passwd, a config file, whatever.
Your router is not safe for use; beware!
edit: example on whitelisting
$safe = array(
'ajax',
'somecontroller',
'foo',
'bar',
);
if(!in_array($this->_controller, $safe))
{
throw new Exception(); // replace me with your own error 404 stuff
}
Since your Request class uses a URI segments approach for identifying controller, action and arguments, global variables such as $_GET or $_REQUEST are not taken into account from within your Request.
What you need to do is to make some additions to your Request code. Specifically:
Remove the line:
$this->_args = (isset($parts[0])) ? $parts : array();
And add the following:
$all_parts = (isset($parts[0])) ? $parts : array();
$all_parts['get'] = $_GET;
$this->_args = $all_parts;
This way, $_GET (ie variables passed via the url) variables will be available in the actions called, as they will be in $args (they will be available as $args['get'] actually, which is the array that holds the $_GET vars, so you will be able to have access to domain=example by using $args['get']['domain']).
Ofcourse, you can add one more method in your Request class (e.g. query) that might look like that:
public function query($var = null)
{
if ($var === null)
{
return $_GET;
}
if ( ! isset($_GET[$var]) )
{
return FALSE;
}
return $_GET[$var];
}
This way, you can get a single variable from the url (e.g. $request->query('domain')) or the whole $_GET array ($request->query()).
That's because php will put "?mod_title=..." in the $_GET array automatically. Your getArgs() function should check for $_GET, $_POST or $_REQUEST.
If you're trying for a minimal MVC approach, have a look at rasmus' example: http://toys.lerdorf.com/archives/38-The-no-framework-PHP-MVC-framework.html
If your use case is going to get more complex, have a look at how Zend (http://framework.zend.com/manual/en/zend.controller.html) or Symfony (https://github.com/symfony/symfony/tree/master/src/Symfony/Component/Routing) do their stuff.
Choose any popular MVC to see how they implement it under the hood. In addition, spl_autoload_register and namespace are your friends.
In symfony, is there a method that I can use which does a reverse lookup on my routes to determine the module and action a URL points to?
Say, something like:
get_module("http://host/cars/list"); // ("cars")
get_action("http://host/frontend_dev.php/cars/list"); // ("list")
Bear in mind, I don't want to perform simple string-hacking to do this as there may be mappings that are not quite so obvious:
get_module("/"); // (What this returns is entirely dependent on the configured routes.)
Thanks!
Use the sfRouting class to match URLs. This is part of the sfContext object. Your code (in an action) would look like this:
public function executeSomeAction(sfWebRequest $request)
{
if($params = $this->getContext()->getRouting()->parse('/blog'))
{
$module = $params['module']; // blog
$action = $params['action']; // index
$route = $params['_sf_route'] // routing instance (for fun)
}
else
{
// your URL did not match
}
}
I want to build an url with hashtag on codeigniter. Example:
"http://www.example.com/blog/post/title.html#comments"
The url_config in my config.php is this:
$config['url_suffix'] = ".html";
And I used the following code to build the anchor:
anchor('blog/post/'.url_title($post->title, 'dash', TRUE).'#comments', 'comments', 'title="'.$post->title.'"');
If you know any solution please let me know it. Thanks
How about this?
anchor(site_url('blog/post/'.$post->title)."#comments");
It returns an url like this: http://example.org/blog/post/stackoverflowRocks.html#comments
If you want to use hash tags without having to pass 'site_url()' to the anchor method you can extend the CodeIgniter Config library class fairly easily.
The CodeIgniter Config library class has a method called site_url that runs when you use the anchor method. site_url, by default, adds the url_suffix after any uri you pass to it without any care or knowledge of hash tags. Fortunately, you can simply extend the Config library class to modify site_url to check for hash tags and add them to the end of the URI after the url_suffix is added.
If you feel so compelled, copy the code below and save it under '/system/application/libraries/MY_Config.php'. You may have to open up '/system/application/config/autoload.php' and add 'My_Config.php' to the autoload library array.
<?php
class MY_Config extends CI_Config {
function site_url($uri = '')
{
if (is_array($uri))
{
$uri = implode('/', $uri);
}
if ($uri == '')
{
return $this->slash_item('base_url').$this->item('index_page');
}
else
{
$suffix = ($this->item('url_suffix') == FALSE) ? '' : $this->item('url_suffix');
$hash = '';
if(substr_count($uri,'#') == 1)
{
list($uri,$hash) = explode('#',$uri);
$hash = '#'.$hash;
}
return $this->slash_item('base_url').$this->slash_item('index_page').trim($uri, '/').$suffix.$hash;
}
}
}
?>
The new site_url method sets $hash to an empty string. If a hash tag is found in the link you pass in, the link is split into an array and passed into variables. site_url will now return the link with the hash tag appended at the end (if hash code is present) after the url_suffix.
What I'd like to do is take the route for the current action along with any and all of the route and query string parameters, and change a single query string parameter to something else. If the parameter is set in the current request, I'd like it replaced. If not, I'd like it added. Is there a helper for something like this, or do I need to write my own?
Thanks!
[edit:] Man, I was unclear on what I actually want to do. I want to generate the URL for "this page", but change one of the variables. Imagine the page I'm on is a search results page that says "no results, but try one of these", followed by a bunch of links. The links would contain all the search parameters, except the one I would change per-link.
Edit:
Ok I got a better idea now what you want. I don't know whether it is the best way but you could try this (in the view):
url_for('foo',
array_merge($sf_request->getParameterHolder()->getAll(),
array('bar' => 'barz'))
)
If you use this very often I suggest to create your own helper that works like a wrapper for url_for.
Or if you only want a subset of the request parameters, do this:
url_for('foo',
array_merge($sf_request->extractParameters(array('parameter1', 'parameter3')),
array('bar' => 'barz'))
)
(I formated the code this way for better readability)
Original Answer:
I don't know where you want to change a parameter (in the controller?), but if you have access to the current sfRequest object, this should do it:
$request->setParameter('key', 'value')
You can obtain the request object by either defining your action this way:
public function executeIndex($request) {
// ...
}
or this
public function executeIndex() {
$request = $this->getRequest();
}
For symfony 1.4 I used:
$current_uri = sfContext::getInstance()->getRouting()->getCurrentInternalUri();
$uri_params = $sf_request->getParameterHolder()->getAll();
$url = url_for($current_uri.'?'.http_build_query(array_merge($uri_params, array('page' => $page))));
echo link_to($page, $url);
Felix's suggestion is good, however, it'd require you to hard core the "current route"..
You can get the name of the current route by using:
sfRouting::getInstance()->getCurrentRouteName()
and you can plug that directly in url_for, like so:
url_for(sfRouting::getInstance()->getCurrentRouteName(),
array_merge($sf_request->extractParameters(array('parameter1', 'parameter3')),
array('bar' => 'barz'))
)
Hope that helps.
With the same concept than Erq, and thanks to his code, I have made the same with some small changes, since my URL needs to convert some characters. Its generic though and should work with most forms, in order to save the parameters the user has chosen to search for.
public function executeSaveFormQuery(sfWebRequest $request)
{
$sURLServer = "http://";
$sURLInternalUri = "";
$page = "";
$sURLInternalUri = sfContext::getInstance()->getRouting()->getCurrentInternalUri();
$suri_params = $request->getParameterHolder()->getAll();
$sParams = http_build_query(array_merge($suri_params));
$dpos = strpos($sURLInternalUri, "?");
$sURLConsulta[$dpos] = '/';
$sURL = substr($sURLInternalUri, $dpos);
$dpos = strpos($sURL, "=");
$sURL[$dpos] = '/';
$sURLFinal = $sURLServer . $sURL . '?' . $sParams;
//$this->redirect($this->module_name . '/new');
self::executeNew($request, $sURLFinal);
//echo "var_dump(sURLFinal): ";
//var_dump($sURLFinal);
//echo "<br></br>";
//return sfView::NONE;
}
In executeNew, as easy as:
public function executeNew(sfWebRequest $request, $sURLQuery)
{
//$sURLQuery= "http://";
if ($sURLQuery!= "")
{
$this->form = new sfGuardQueryForm();
//echo "var_dump(sURLQuery)";
//var_dump($sURLQuery);
//echo "<br></br>";
$this->form->setDefault('surl', $sURLQuery);
}
else
{
$this->form = new sfGuardQueryForm();
}
}
echo $sf_context->getRequest()->getUri();