All of the GuiControls are in the Zoop folder under GuiControls. When I make new controls I make a copy of an existing control then modify accordingly.
Open your Zoop folder
Open the GuiControls Folder
Find the filename of a control you would like to use as a base (If I wanted to make my own text control I would copy the text.php file)
i know i can do this and already done
i need the validation on that field. i need the image file, when supplied to conform conditions on being valid.
how can i accomplish this?
By my mind the validation should be accomplished with Zoop validation routines. Or not?
Thanks anyway, those were the first on my doing.
And, the major problem on validation is: afetr the setParam( 'validate' , array...
the Post method doesn't see the stored in session validate property.
Where is the code responsible for validate parameter storage?
i found that may be my typo. but i supposed the Params of the form are being kept in $_SESSION? It's craziest approach to hold them gzipped and base64_encoded in the form code attached to every form input. At least i think it allows the attacker to violate/bypass the validation on the server's side since validate array is the subject being entered with the guiControll'ed form.
I'd appreciate any thoughts about is this a security vulnerability and how should i prevent it.
yes, putting them there is purest silliness. I don't know what I was thinking. I was probably trying to avoid polluting the session. The silliest part is that it is sometimes kept in the session, and sometimes in hidden form elements.
In particular, lines 56-60 of zoop/guicontrol/guicontrol_component.php needs to do something different.
These changes need significant testing, and so may not be released immediately.
It's unlikely that there are any attackers out there who know to use this vector for attack, and bypassing guicontrol validation should not be a high security risk, since guicontrol validation is not useful for negating sql injection attacks anyway. Am I wrong?
I was wondering about the same thing. I thought it used to be stored in the session?
If you want to avoid storing things in the session (size constraints, mebbe?), you could store a hash of them in the session and still store the actual validation params in hidden fields. I would think it best to keep the validation info to yourself, though, rather than (potentially) exposing it to the user.
Start In Your Zoop App Folder
All of the GuiControls are in the Zoop folder under GuiControls. When I make new controls I make a copy of an existing control then modify accordingly.
Done but
i know i can do this and already done
i need the validation on that field. i need the image file, when supplied to conform conditions on being valid.
how can i accomplish this?
By my mind the validation should be accomplished with Zoop validation routines. Or not?
Thanks anyway, those were the first on my doing.
And, the major problem on
And, the major problem on validation is: afetr the setParam( 'validate' , array...
the Post method doesn't see the stored in session validate property.
Where is the code responsible for validate parameter storage?
i found that may be my typo.
i found that may be my typo. but i supposed the Params of the form are being kept in $_SESSION? It's craziest approach to hold them gzipped and base64_encoded in the form code attached to every form input. At least i think it allows the attacker to violate/bypass the validation on the server's side since validate array is the subject being entered with the guiControll'ed form.
I'd appreciate any thoughts about is this a security vulnerability and how should i prevent it.
silliness
yes, putting them there is purest silliness. I don't know what I was thinking. I was probably trying to avoid polluting the session. The silliest part is that it is sometimes kept in the session, and sometimes in hidden form elements.
In particular, lines 56-60 of zoop/guicontrol/guicontrol_component.php needs to do something different.
Current:
if(isset($post['controls'])) { $GLOBALS['controlData'] = $post["controls"]; UnsetPost('controls'); }Needs to be like:
if(isset($post['controls'])) { $GLOBALS['controlData'] = $post["controls"]; $GLOBALS['controlData'] = array_merge_recursive($GLOBALS['controlData'], $_SESSION['controlViewState']['controls']); UnsetPost('controls'); unset($_SESSION['controlViewState']); }And then line 408 of zoop/guicontrol/GuiControls/GuiControl.php function renderViewState() needs some changes:
currently:
function renderViewState() { $viewState = $this->encode($this->getViewState()); $name = $this->getName(); $html = "<input type=\"hidden\" name=\"{$name}[viewState]\" value=\"$viewState\">"; return $html; }should be:
function renderViewState() { $viewState = $this->getViewState(); $type = get_class($this); if(!isset($this->parent)) $_SESSION['controlViewState']['controls'][$type][$this->name] = $viewState; else $_SESSION['controlViewState']['controls'][get_class($this->parent)][$this->parent->name]['controls'][$type][$this->name] = $viewState; $html = ""; return $html; }These changes need significant testing, and so may not be released immediately.
It's unlikely that there are any attackers out there who know to use this vector for attack, and bypassing guicontrol validation should not be a high security risk, since guicontrol validation is not useful for negating sql injection attacks anyway. Am I wrong?
Thanks for keeping those eyes open!
I was wondering about the same thing
I was wondering about the same thing. I thought it used to be stored in the session?
If you want to avoid storing things in the session (size constraints, mebbe?), you could store a hash of them in the session and still store the actual validation params in hidden fields. I would think it best to keep the validation info to yourself, though, rather than (potentially) exposing it to the user.