Controller (and subclasses) failed to enforce $allowed_action restrictions on parent classes if a child class didn't have it explicitly defined. Controllers which are extended with $allowed_actions (through an Extension) now deny access to methods defined on the controller, unless this class also has them in its own $allowed_actions definition.
1.2 KiB
2.4.10
Overview
- Security: Undefined
$allowed_actions
overrides parent definitions - API: More restrictive
$allowed_actions
checks forController
when used withExtension
Details
Security: Undefined $allowed_actions
overrides parent definitions
Severity: Important
Description: Controller
(and subclasses) failed to enforce $allowed_action
restrictions
on parent classes if a child class didn't have it explicitly defined.
Impact: Depends on the used controller code. For any method with public visibility, the flaw can expose the return value of the method (unless it fails due to wrong arguments). It can also lead to unauthorized or unintended execution of logic, e.g. modifying the state of a database record.
Fix: Apply the 2.4.10 update. In addition, we strongly recommend to define $allowed_actions
on all controller classes to ensure the intentions are clearly communicated.
API: More restrictive $allowed_actions
checks for Controller
when used with Extension
Controllers which are extended with $allowed_actions
(through an Extension
)
now deny access to methods defined on the controller, unless this class also has them in its own
$allowed_actions
definition.