MODX now has its
security team.
But let me quote what it says:
Extras Security Policy
The MODX Security Team is not responsible for Extras for MODX, nor any security issues found within them. When a vulnerability is found in a MODX Extra, the Security Team will be notified and the author will be contacted regarding the issue. The author will be given a reasonable deadline by which to fix the issue. If the deadline is not met, the Extra will be removed from the official MODX Extras repository and a public advisory against the Extra will be released. Deadlines will be set by the Security Team in accordance with the severity of the issue. MODX or the Security Team will not audit or review Extras hosted on any non-official Provider.
Before the real
Security Standards have been noted clearly, I like to invite you guys to share all of your knowledge here about how to close the security holes, as a 3PC developer.
Let me start my part:
1. You may start to learn this deeply by reading a good book:
PHP Architect’s Guide to PHP Security.
2. Bookmark and dig this:
http://phpsec.org/projects/guide/
3. Well, start google about this matter.
4. For some quick recommendations, please see below.
1. Always sanitize your input
Do not trust your user!
a. Form
You should always sanitize your input form in any way, when the form is submitted.
It can be your search box, your login/register form, your contact form, your comment form, whatever.
When submitting, the FIRST or FOREMOST process is sanitizing.
Others come afterward.
b. Snippet’s parameters
Why do you think that developers can not be wrong?
MODX has its sanitizing APIs:
sanitize dan sanitizeString
<?php // highlight
$modx->sanitize($mixed); // array
$modx->sanitizeString($string); // only string
BUT, if you dig the code, it sanitize ASCII regex only.
You should create your own method to fit your characters if they are not ASCII texts.
Revo still misses the even trigger for TransAlias plugin like Evo has.
2. Do Not Pass Any Requests Directly to the Class
If you apply an OOP style to your code, please consider this.
Always sanitize first before your snippet code passes them to any object.
/* ex.1 */
<?php //highlight
$object = new MyClass($modx, $scriptProperties); // still having the raw values, absolutely dangerous!
$object->submitMyForm($_POST); // absolutely dangerous!
$object->property = $_POST['property']; // absolutely dangerous!
/* ex.2 */
<?php //highlight
$sanitizedPosts = $modx->sanitize($_POST);
$_POST = array();
$object->submitMyForm($sanitizedPosts); // recommended!
/* ex.3 */
<?php //highlight
$sanitizedGets = $modx->sanitize($_GET);
$_GET= array();
$object->submitMyForm($sanitizedGets); // recommended!
/* ex.4 */
<?php //highlight
$scriptProperties['param'] = !empty($_GET['param']) ? $modx->sanitizeString($_GET['param']) : ''; // recommended!
$config['param'] = $modx->getOption('param', $scriptProperties, 'defaultValue');
/* ex.5 */
<?php //highlight
class MyClass {
// dangerous
public function myFunction () {
$title = $_POST['title'];
echo $title;
}
// recommended
public function myFunction2 ($sanitizedPost) {
$title = $sanitizedPost['title'];
echo $title;
}
}
3. Always sanitize your Ajax file
Since each of controller or ajax processor files is like an independent file, you should make a ’check code’ ON TOP of the file.
You can use:
a. Access check.
/* ex.6 */
<?php
if (!defined('IN_MANAGER_MODE')) {
return;
// or
// die();
}
b. Sanitize file using MODX’s API
/* ex.7 */
<?php
// ... include the class file here ...
$modx = new modX();
$sanitizedRequests = $modx->sanitize($_REQUEST); // recommended, will be applied to all $_GET, $_POST, $_COOKIE
$_REQUEST = array();
$_REQUEST = sanitizedRequests;
... proceed ...
About the file inclusion and if this is about the front-end AJAX, you can set the ajax processor using the MODX’s resource.
Use a blank template to that resource, and make a snippet that calls the real AJAX processor file.
That will make the $modx object available to that processor.
You do not need to include the MODX’s core file again => that will make the direct access to the file become PHP Fatal Error!
So far, these are my thoughts.
I need to share this, because I also use other 3PC extras that are not built by myself.
I hope you can understand this situation, and even better share your experiences here.
For the Secure MODX!