Preface

My wife read this blog for the first time in awhile and said I was too negative. Plus, I feel bad when I make a joke about someone/some site/some project then the person emails me and they're really cool. So for this post I will not make any degrading comments. Call it "CakePHP Digest #6 - The Sunny Happy Edition."

News

There is a new release of CakePHP (1.2.1.8004) and it fixes a huge security flaw. Unfortunately the notice posted on the Google Group slightly undersells just how bad this is, in my opinion. Gwoo writes "Essentially, an attacker may be able to obtain credentials as the first user of the system." It's actually worse then that - the attacker can get access to ANY user, they just need to pick the user id. Here's how:

If you want to follow along with Xdebug put a break in /cake/libs/controllers/components/auth.php at the start of the identify method (line 732 in RC3).

Open up the login page of your app. Use FireBug edit the html (or save it locally) for the username field so that the input name is something different. For example if the input is named data[User][username] change it to data[User][notusername]. In the password field put the id of the user you want to login as, for example 1. If your users table has an auto increment id field then it's pretty easy to guess different ids. Submit the form.

With Xdebug you can see that the $user parameter that is passed to the identify method is array('User.username' => null, 'User.password' => 1). This may be slightly different depending on your field names. The main if statement in identify (line 754) will fail on isset($user[$this->fields['username']]) and you'll be dropped into the else if on line 780. Auth will then try to verify the user with this query:

SELECT `User`.`id`, `User`.`username`, `User`.`password`, `User`.`created`, `User`.`modified`
FROM `users` AS `User`
WHERE `User`.`id` IN (NULL, 1)
LIMIT 1

The 1 in "(NULL, 1)" comes from the value you passed in the password field. An attacker could try various other ids randomly and probably won't have much trouble getting into accounts.

Not a great start for this Sunny Happy Edition, but at least I refrained from making any snappy comments like "CakePHP: it's not just the framework that's openâ„¢."
We'll take a brief intermission while everyone goes and updates their apps. Welcome to intermission...Yeah intermission...Ahhh...Ahhh......ok...Yeah Yeah Yeah Yeah Yeah!

Tickets and Commits

For the curious the fix for the above was changset 7979.

In The Wild

After a virtual explosion of new Cake apps last digest (there were 2), I got nothing this week, which is a real shame considering I would have only said nice things about your site. Come on people - free publicity! Granted only like 10 people read this blog, but it still does pretty well with Google. Check out some of these search phrases where I rank at or near the top:
hate cakephp
can zend studio produce a crud
zend framework sucks
how is money made

In The Blogs

Not a lot of posts over the last two weeks. What happened to all the CakePHP bloggers? Here's my proposal to spark the CakePHP blogging community: Have the guys over at debuggable.com write a post about how they don't have time to post because they spend their days charging ridicules rates to do CakePHP work and their nights doing blow off groupies - all thanks to their blog.

Mark Story has a follow up to his Testing CakePHP Controllers The Hard Way, which explains how to use mock objects. Don't be ashamed - I never knew about any of this either. Enjoy Mark's posts while you can. Two or three more and he'll be able to cash in on his CakePHP blogging fame. Then the only way to get in touch with him will be to send snail mail with the address "Mark Story, 1223 Buried Under Five Smoking Hot Models Drive, Canada."

Chris Hartjes published a preview version of the first two chapters of his forthcoming book "Refactoring Legacy Applications Using CakePHP."

Teknoid has a post showing some alternatives to using requestAction. I'd always believed that requestAction was to be avoided at all costs. But after re-reading the requestAction section in The Cookbook my stance has softened. The example used seems like a legitimate case that benefits from using requestAction. Plus, it is stressed that caching is important and if you use array style urls the router is bypassed, improving performance. requestAction, I probably still won't use you, but at least now I won't say bad things about you to my friends.

In The Bakery

Nate takes some time to write about Doing Ad-hoc Joins in Model::find(). So before you revert to writing raw queries, check out the article. Also to avoid having Rafael Bandeira spend $2000 on an airline ticket and showing up at my door, I'll mention his Linkable behavior, which gives you very powerful control over joining tables when retrieving data.

Yusuke Ando took the time to do a legitimate performance comparison between symfony and CakePHP. Cake and symfony end up being virtually identical, although the boost from CakePHP 1.2RC2 to CakePHP 1.2 Final is worth noting. I vow now that this will be the last time I link to a performance comparison. I'm done. Performance comparisons, don't go away mad...just go away.

And on that note don't forget to subscribe to my feed or follow me on twitter.

As always if you think I missed something leave a comment. Or if you do something interesting and want it included in the next digest, send me an email.