Post Support For Action Parameter Binding

nicopc · January 18, 2011, 12:40pm

Action Parameter Binding as implemented in CInlineAction currently only supports $_GET parameters, so parameters from POST requests won’t be bound.

If CInlineAction would use CHttpRequest->getParam($name) instead of $_GET[$name]

in the run() method, it would support Action Parameter Binding in both GET and POST requests.

I would prefer that behavior.

qiang · January 18, 2011, 12:47pm

Please also see this changeset which allows easier extension of CInlineAction: http://code.google.com/p/yii/source/detail?r=2888#

Woil · February 10, 2011, 6:12pm

Why was it set to _GET instead of _REQUEST in the first place? Is there some security thing that I’m not understanding? (Or CHttpRequest->getParam($name))

samdark · February 11, 2011, 4:41pm

$_REQUEST includes $_GET, $_POST… and $_COOKIE. So yes, it’s security thing: malicious user can override your variables by setting a cookie with the same name as your $_GET or $_POST parameter.

ScallioXTX · July 10, 2011, 1:00am

_REQUEST is evil and should never have been in the language in the first place. It serves no useful purpose whatsoever (unless you consider making things more ambiguous and less secure useful).

helmut · August 3, 2011, 7:48pm

since version 1.1.7 this is now done via overriding getActionParams() from CController.

e.g. put this in components/Controller.php




public function getActionParams() { return array_merge($_GET, $_POST); }

to have both GET and POST parameters bind to action parameters.

ScallioXTX · August 4, 2011, 11:05am

helmut:

since version 1.1.7 this is now done via overriding getActionParams() from CController.

e.g. put this in components/Controller.php
public function getActionParams() { return array_merge($_GET, $_POST); }
to have both GET and POST parameters bind to action parameters.

Security leaks FTW !

There is a reason register_globals is deprecated; don’t simulate it!

samdark · August 4, 2011, 1:24pm

ScallioXTX, can you provide an example of why this is the security leak?

ScallioXTX · August 12, 2011, 12:14pm

It may not be a very good example, but merging these two arrays makes it very easier to try and brute force stuff, as you could put the username and password in the URL and keep blasting. Creating POST requests is a little harder.

Plus I guess I’m not a fan of not knowing precisely where all my variables are coming from. It feels nasty.

samdark · August 12, 2011, 2:49pm

ScallioXTX

Creating POST requests isn’t harder at all. Ones who’re breaking our apps are sometimes very clever guys.

wisp · May 20, 2012, 5:28pm

POST params should only be used to post data to the server, not to route a request. So the current behaviour is fine.

Ben · May 23, 2012, 9:49pm

Just rethinking this… Since you validate input before using it, does it really matter from which source it comes? I think I understand the different purposes of GET and POST data, but should our actions have to deal with that?

Ben · April 28, 2013, 8:57pm

Just for everyone who’s interested in this feature request: Quite some time ago, I wrote a filter that allows pretty flexible configuration of action parameters. Have a look here: https://github.com/bwoester/yii-action-param-filter