From 3936cce4b8c6fea315fd0010d0244d70a4c40b6a Mon Sep 17 00:00:00 2001 From: mark_story Date: Thu, 3 Jul 2014 22:10:49 -0400 Subject: [PATCH] Disallow hexadecimal input with inList. Instead of turning on/off strict mode based on the user supplied input, cast everything to strings and always use a strict check. This avoids the potential issue of a bad user using hexadecimal when they should not be allowed to do so. Thanks to 'Kurita Takashi' for pointing this out. --- lib/Cake/Test/Case/Utility/ValidationTest.php | 4 ++++ lib/Cake/Utility/Validation.php | 7 +++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/lib/Cake/Test/Case/Utility/ValidationTest.php b/lib/Cake/Test/Case/Utility/ValidationTest.php index 4d8fdab74..60b12e1f5 100644 --- a/lib/Cake/Test/Case/Utility/ValidationTest.php +++ b/lib/Cake/Test/Case/Utility/ValidationTest.php @@ -1979,6 +1979,10 @@ class ValidationTest extends CakeTestCase { $this->assertFalse(Validation::inList(2, array('1', '2x', '3'))); $this->assertFalse(Validation::inList('One', array('one', 'two'))); + // No hexadecimal for numbers. + $this->assertFalse(Validation::inList('0x7B', array('ABC', '123'))); + $this->assertFalse(Validation::inList('0x7B', array('ABC', 123))); + // case insensitive $this->assertTrue(Validation::inList('one', array('One', 'Two'), true)); $this->assertTrue(Validation::inList('Two', array('one', 'two'), true)); diff --git a/lib/Cake/Utility/Validation.php b/lib/Cake/Utility/Validation.php index 1045d4a8b..cb2aa8706 100644 --- a/lib/Cake/Utility/Validation.php +++ b/lib/Cake/Utility/Validation.php @@ -800,14 +800,13 @@ class Validation { * @return bool Success. */ public static function inList($check, $list, $caseInsensitive = false) { - $strict = !is_numeric($check); - if ($caseInsensitive) { $list = array_map('mb_strtolower', $list); $check = mb_strtolower($check); + } else { + $list = array_map('strval', $list); } - - return in_array((string)$check, $list, $strict); + return in_array((string)$check, $list, true); } /**