Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ExportController security issue (minor) #600

Closed
3 tasks done
SamMousa opened this issue Dec 12, 2016 · 0 comments
Closed
3 tasks done

ExportController security issue (minor) #600

SamMousa opened this issue Dec 12, 2016 · 0 comments
Labels
enhancement

Comments

@SamMousa
Copy link
Contributor

Steps to reproduce the issue

  1. Read https://github.com/kartik-v/yii2-grid/blob/master/controllers/ExportController.php#L33
  2. Note that export configuration is taken from the post data instead of the application setting.

Issue

When I configure the griddview not to use pdf export (for example) the user should not be able to ignore that and just send his own POST request demanding a PDF export.
If you want to be stateless in the export, the original configuration should at least be signed so that it can be verified in the control.

Consider a scenario where you disable PDF exporting (maybe it's too heavy on your server). Any user can than still force PDF export by simplying forging a POST request manually.

Isolating the problem

  • This bug happens on the demos page
  • The bug happens consistently across all tested browsers
  • This bug happens when using yii2-grid without other plugins.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@SamMousa @kartik-v