请求已被黑洞 - CakePHP [英] The request has been black-holed - CakePHP

问题描述

我使用CakePHP的 SecurityComponent 。它是非常重要的，因为它保存形式从 CSRF 攻击。我的项目有10-12个表单，这是我第一个CakePHP项目。启用 SecurityComponent 后，我有点麻烦，但可以在一些小心的分钟后摆脱。这是我的项目的最后一个形式，似乎一切是正确的，但仍然是形式是黑色的孔:(任何人都可以告诉我的问题吗？我不想禁用CSRF检查或 SecurityComponent 。这是我的代码：

I'm using CakePHP's SecurityComponent. And it's very essential as it saves forms from CSRF attacks. My project has total 10-12 forms and this is my first CakePHP project. After enabling SecurityComponent I was in a bit trouble but could get rid off after some careful minutes. This is the last form of my project and seems everything is correct to me but still the form is being black holed :(. Can anybody please tell me the problem? I don't want to disable CSRF checking or SecurityComponent. Here is my view code:

<?php
echo $this->Form->create('Record');
?>
<script type="text/javascript"> var me = new MetroExam(); </script>
<div class="exam_paper">
    <div class="question_box" id="q_b">
        <div class="q_n_a_header">
            <div class="instructions">
                <b>Instructions:</b><br>
                <?=$inst['value_text']; ?>
            </div>
            <div id="timer">Please wait</div>
        </div>
        <div id="q_paper">
           <img id="q" style="display: none;" src="/oes/<?=$exam['path'].'?ts='.time(); ?>">

            <img id="loading_img" src="/oes/img/loading.gif">
        </div>
    </div>
    <div class="ans_box" id="a_b">
        <!-- information about answer paper. !important -->
        <?php
        $i = 0;

        //these fields are essential for evaluating ans paper
        echo $this->Form->hidden('submit', array('value' => 'true'));
        echo $this->Form->hidden('start_time', array('value' => ''));
        echo $this->Form->hidden('end_time', array('value' => ''));
        echo $this->Form->hidden('duration', array('value' => ''));
        echo $this->Form->hidden('valid', array('value' => ''));
        echo $this->Form->hidden('passed', array('value' => ''));

        //options for all radio
        $options     = array(
            '1' => 'A',
            '2' => 'B',
            '3' => 'C',
            '4' => 'D'
        );
        if($exam['choices'] == 5){
            $options['5'] = 'None';
        }

        $questions = (int)$exam['questions']; // 40 <= $exam['questions'] <= 100
        $i = 1;
        while($questions--){
            echo '<div class="'.(($i%2)==1?'each_answer_even':'each_answer_odd').'" id="ans-'.$i.'">';
            echo '<div class="q_number">'.($i <= 9 ? '0'.$i : $i).'</div>';
            $name       = 'ans'.str_pad($i, 3, '0', STR_PAD_LEFT);
            $attributes = array('empty' => false, 'legend' => false, 'onclick' => 'me.answer_click('.$i.')');
            echo '<div class="mcq">'.$this->Form->radio($name, $options, $attributes).'</div>';
            echo '</div>';
            $i++;
        }
        echo $this->Form->end('Submit');
        ?>
    </div>
</div>

这基本上是一个MCQ考试表格。其中每个组具有4或5个单选按钮，并且在表单中总共有40至100个组。我使用CakePHP 2.4。提前感谢。

This is basically a MCQ exam form. Where each group has 4 or 5 radio buttons and total 40 to 100 groups in a form. I'm using CakePHP 2.4. Thanks in advance.

推荐答案

根据注释，出现问题是因为您要更改表单的隐藏值。 SecurityComponent的工作方式是，它锁定字段的名称，所以一个evildoer不能添加新的字段或一旦发送表单更改值。 但对隐藏值更严格，因为它锁定字段名称和的值。所以通过改变它与jQuery你黑洞你自己的形式。

As per the comments, the problem appears because you are changing the hidden values of the form. The way SecurityComponent works, is that it "locks" the name of the fields, so an evildoer can't add new fields or change the values once the form is sent. But it is even more strict with the hidden values, because it locks the field name and value. So by changing it with jQuery you're blackhole-ing your own form.

有一个很好的小帖子，我学到了这个，采取看看它。作者还解释了绕过这个问题的两种方法。一个是禁用隐藏字段的安全性，所以为令牌计算的哈希值不包括那些值...这不是真的安全...

另一个解决方案是修改FormHelper ，并告诉它锁定隐藏的字段名称，而不是值。我不记得作者使用的Cake的版本，但是给出的代码应该是实用的。所以有了这个解决方案，你可以告诉形式不要那么严格与你一个选项数组。

There's a nice little post where I learned this, take a look at it. The author there also explains two ways of bypassing this problem. One is to disable the security for hidden fields, so the hash calculated for the token doesn't include those values... which isn't really secure...
And another solution is to modify the FormHelper, and tell it to "lock" the hidden fields names but not the values. I don't remember what version of Cake the author uses for the example, but the code given there should be practicaly the same. So with that solution, you can tell the form to not be so strict with you with an option array.

哦，另一个选项给了这里通常使用）（我只是读它现在那里...我想我自己的...哦），只是使用正常的输入文本字段为你想隐藏的，并添加一个CSS样式，如 display：none 。

Oh, and the other option given there (this is what I normally use) (I just read it now there... I thought I figure that on my own... oh well), is to just use normal input text fields for the ones you want hidden, and add a css style like display:none.

这取决于你认为最好的。我喜欢css选项，因为更简单，而且真的，如果有人打算用我的css恶意（用firebug或类似的东西），他们可能只是用隐藏字段的值，它不需要任何更多的努力。在处理表单提交时，你应该采取所有额外的步骤和验证。但是像我说的，你认为最适合你的情况。

It's up to you what you think is best. I like the css option because is simpler, and really, if someone is going to mess with my css evily (with firebug or something like that), they might just as well do it with the values of hidden fields, it doesn't require any more effort. You should take all the extra steps and verifications when handling that form submission anyway. But like I said, up to you which do you think is best for your situation.

这篇关于请求已被黑洞 - CakePHP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！