This article covers the concepts of authentication and authorization.

Authentication is knowing who the logged in user is. Authorization is knowing what the user can and can’t do and can be as easy as checking that the user ID in the database matches the user ID of the authenticated user. It can also be as complex as Access Control Lists, social graphs, and multi-moderator systems. Either way it needs to be taken care of. Very few things are more devastating than when a malicious user finds that all you have to do to edit another user’s data is to change the value of a POST variable or all you need to do to access someone’s private photos is to change a URL. Do either of those two cases sound familiar?

Thinking like a hacker

If I were to try to exploit this feature: how would I go about it?
you, every time you write code (hopefully)

Let’s start by looking at a imaginary site that makes an Ajax request to delete a resource via a RESTful API. The HTTP request probably looks a bit like this:

POST /resources/1234.json HTTP/1.1
Host: www.example.com
Content-Length: 14

_method=DELETE

Now, make the assumption that you can find the ID of any resource on the system. This could be because it is exposed in a “view” URL or it could be that it is returned in an API call for search. Either way, assume that if it exists a hacker can find it either by design or through flaws in the code. Never assume primary keys are a secret. The next step is to find an ID of a resource not owned by the hacker (in this example: 5678) and to go the command line (assuming cURL is installed on your system):

curl -d "_method=delete" http://www.example.com/resources/5678.json

Curl doesn’t share cookies with the web browser so if that call succeeded and record 5678 was actually deleted then the application is not checking to see if the user is authenticated. There is no need to go any further, you’ve already found a devastating exploit. If this is your application (I hope that you aren’t using this article to try to hack other people’s apps!) it is time to go back to the code, add a check to make sure that the user is logged in. Then come back here to read on.

If the call didn’t work then it is time to try to delete the resource as an authenticated (but hypothetically not authorized) user:

curl -d "username=you&password=abcdefg" -c "cookies.txt" http://www.example.com/login/
curl -d "_method=delete" -b "cookies.txt" http://www.example.com/resources/5678.json

The first line authenticates the user and stores the cookies. The second line tries the delete method again with the new cookies. Make sure to replace all the appropriate variables and URLs in all of these examples. If all went well bad the resource 5678 should now be deleted. If that happened then the application needs to check for authorization as well as authentication.

The same concepts can be applied to viewing, editing, and creating resources. This article uses cURL but there are numerous other ways of spoofing Ajax and API requests, including injecting Javascript into the browser and writing a PHP / Perl / Ruby / Python / etc. script to do it.

One thing to watch out for is any request that takes the user ID as a parameter. It should raise a red flag. Whenever possible, get the user ID from the currently authenticated user. I once saw a password vault web application that returned the entire password list from a SOAP call given only the user ID. Just so you are sufficiently mortified, I’ll rephrase it: I could enter in any user’s ID and get back a list of passwords for other sites on the Internet (including Google). Don’t let that happen to you!

Taking care of business

Addressing the problem takes as much thought and planning then actually technical know-how. Imagine a user for each role (resource owner, administrator, moderator, customer support, friend of the user — if you are a social network — etc.) then ask three questions:

1. User X can/can’t view resource Y because…
2. User X can/can’t edit resource Y because…
3. User X can/can’t delete resource Y because…

Then for each of those, check to make sure the code reinforces that statement. It is also a good idea to give these stories to the testers and have them try to break your code. And remember: the authentication system tells you WHO the user is and authorization system tells you WHAT actions the user can perform.

How complex a system you need for authorization depends on your application. It can range from one-off code to full-featured generic systems that can be used for any type of resource imaginable. Social networks are the most complicated of the bunch because authorization often depends on a personal relationship with the user requesting access to the resource. The simplest form of authentication is:

if ( $user->id != $resource->owner_id )
  throw new Exception("Access denied");

Or if your application is a social network and you give friend’s access to resources:

if ( $user->id != $resource->owner_id && !$user->isFriendsWith($resource->owner_id) )
  throw new Exception("Access denied");

For a more robust system you’ll probably want to implement an Access Control List (ACL). An ACL at its core is just a mapping of users to resources. For example: Joe has view, edit, and delete access to resource 1234.

More advanced access control lists also have groups (called “roles”) and they can cascade. Roles introduce some ambiguity, and multiple entries in the list may govern the same action. If that happens, the most specific one is taken. For example, editing a resource may be governed by the rules:

• “Joe” is in the group “Basic Users” and “Basic Users” explicitly can NOT edit resources of type “forum post”
• “Joe” CAN edit resources of type “forum post” with ID “1234″

Since Joe has edit rights to the forum post with an ID of 1234 it doesn’t matter that the role Joe plays (a “Basic User”) cannot edit any forum posts. There are numerous articles on implementing an ACL in a PHP application and many frameworks have built-in classes for ACL.

Summary

When developing web applications (or any application for that matter): always be cognizant of authentication and authorization. Remember, authentication answers the question of WHO and authorization answers the question of WHAT. The application must always know the answer to both of those questions and be able to deny or allow certain actions based on those answers. It might be useful for newer developers to to actually put themselves in the shoes of a hacker and attempt to find exploits for their own website. Eventually, it will become second nature.

I will be presenting a talk on API Development. As the conference gets closer I will update this page with outlines, links, downloads, and eventually the final presentation.

You can view the complete schedule or register for the event and find a lot of other useful information on the CafeFest website.

Doors open at CakeFest 2010

If you can, you may want to set post_max_size to a low value (say “1M”) to make testing easier.

First test to see how your script behaves. Try uploading a file that is larger than post_max_size. If you do you will get a message like this in your error log:

[09-Jun-2010 19:28:01] PHP Warning:  POST Content-Length of 30980857 bytes exceeds the limit of 2097152 bytes in Unknown on line 0

If you’re not careful this can lead to unexpected behavior in your application. The end result can range from silent failure all the way to lost customers.

Solving the problem

The PHP documentation provides a hack to solve this problem:

If the size of post data is greater than post_max_size, the $_POST and $_FILES superglobals are empty. This can be tracked in various ways, e.g. by passing the $_GET variable to the script processing the data, i.e. <form action=”edit.php?processed=1″>, and then checking if $_GET['processed'] is set.
Source: PHP manual

To be clear, it is suggesting that you pass a value in the query string along with your form. If the value is in the $_GET superglobal and both $_FILE and $_POST are empty then the maximum upload size is exceeded. There are two problems with this approach: it adds extra complexity on the front-end and it can potential give a false positive.

Extra complexity on the front-end means extra documentation and more room for mistakes. And if there is a mistake it may not be caught for a long time (does your QA team routinely upload large files?). In this case we already have all the data that we need to determine if the maximum file size was exceeded without adding extra complexity and headache for developers.

We know what type of request is being processed, we have the $_POST and $_FILES arrays, and we have the content length as it was passed to the HTTP server from the client. From that we get this code:

if ( $_SERVER['REQUEST_METHOD'] == 'POST' && empty($_POST) &&
     empty($_FILES) && $_SERVER['CONTENT_LENGTH'] > 0 )
{
  $displayMaxSize = ini_get('post_max_size');

  switch ( substr($displayMaxSize,-1) )
  {
    case 'G':
      $displayMaxSize = $displayMaxSize * 1024;
    case 'M':
      $displayMaxSize = $displayMaxSize * 1024;
    case 'K':
       $displayMaxSize = $displayMaxSize * 1024;
  }

  $error = 'Posted data is too large. '.
           $_SERVER[CONTENT_LENGTH].
           ' bytes exceeds the maximum size of '.
           $displayMaxSize.' bytes.";
}

The important thing to notice is the “if” statement on lines one and two. The example code just sets an error string. Production code might display a message to the user, execute some Javascript (for asynchronous uploads), or pass back a XML or Json object for Flash clients.

I’ve tested this code with Apache as both a module and as CGI. As far as I know it should work fine with IIS as well.

You can try out myVBO for free at www.myVBO.com.

I joined the myVBO team in March of 2009. My contributions to the project include:

• Designed a full featured multi-account Twitter client.
• Created versatile multi-environment configuration system.
• Designed and developed a versatile cross-platform short-polling and batch processing mechanism for dynamic data updates.
• Developed a robust platform API (both REST and RPC) as well as ActionScript 3 consumer client libraries.
• Created an extensible authentication system ready to accept users from multiple sources.
• Developed a user avatar system.
• Also contributed to: user profiles, product search display, news infrastructure, product planning, and user interface design.

Be sure to give it a try if you need a way to keep track of your business online.

Situation #1: A variable named “new” in a dynamic class

You are creating a dynamic object and you need to use a reserved word as a member variable name but you can’t.

var x:Object = new Object;
x.new = "this doesn't work";
x['new'] = "this works";

The first method is a nice way to get 1084: Syntax error: expecting identifier before new when you try to compile. Remove that line and use just the second one and you are all set. It is OK to mix and match access methods, as long as you never use dot notation for reserved words.

Situation #2: A RPC method named delete

You are making a remote call via the RemoteObject class (such as I was doing with Drupal) and you need to call a method named “delete” (or “new” for that matter). You naturally try this:

var ro:RemoteObject = new RemoteObject;
ro.endpoint = "http://www.example.com/amfphp";
ro.delete( 1234 );

You will be promptly greeted by the now familiar 1084 error when you try to compile and using a different notation won’t work. I’ll break the solution into multiple parts although it could just as easily be chained together:

var op:AbstractOperation = ro.getOperation('delete');
op.send( 12345 );

Incidentally the result of the “send” method is a AsyncToken object (the same object that “ro.delete()” would return if delete were not reserved) which can then be used to add responders.

There you have it. Two quick and easy ways to get around methods and properties with reserved words for names.

The other day I was reading the release notes and I couldn’t help but smile.

1. New native MySQL driver

I’m saving the best for last. So bear with me. Lets get through the small grins before we get to the big toothy ones (or you can read ahead… you’re choice). PHP 5.3 ships with a new MySQL driver called mysqld. A database driver is responsible for making the actually connection from PHP to MySQL. The previous MySQL driver had some flaws. For one, it was license in a way that was not compatible with the PHP license. The new MySQL Native Driver has a more amicable license (which is big in the open source world). It also adds some experimental functionality including improved persistent connections. There is also a down side but that is for another post.

2. Host specific PHP INI configurations

I previously worked on a hosted CMS and web publishing tool that had dozens of virtual hosts but only one php.ini. The new functionality allows to section off your PHP configuration to have a different configuration for every host or file path. I haven’t tried this one yet so I’m not sure how well it works. Try it out for yourself. There is a comment on PHP.net right now saying that it only works for CGI PHP and not for the CLI implementation.

[HOST=example.com]
error_reporting = E_ALL
display_errors = On

Example from the PHP documentation.

3. Shortcut ternary operator

I had never considered this before. However, this saves a lot of time for rather repetitive code. Consider these three identical code snipits.

<?php
if ( $foo ) $x = $foo;
else $x = $bar;

$x = ( $foo ? $foo : $bar );
$x = ( $foo ?: $bar );
?>

The third method is the new shortcut. It reads simply: “if foo than foo else bar.” I am still waiting for the first time for this to be useful. The biggest issue I see is that in the above example $foo cannot legitimately be anything that evaluates to false. As a result it is best used for variables that should be non-empty strings or non-zero numbers.

4. Date math

The DateTime class now has several new methods in it for dealing with date arithmetic. It puts an end to manually converting to timestamps and back to dates again. It works very simply:

<?php
$date = new DateTime('2009-06-30 09:00:00');
$date->sub('P5D'); // Subtract five days
echo $data->diff( new DateTime() )->format('%d').' days ago';
?>

The new DateTime methods and the new DateInterval class (returned from and passed to math functions) aren’t very well documented because they are so new.
It is worth noting that the format methods are different in the two classes. Intervals require a percentage (%) in front of placeholders. Watch out for that.

5. Closures

Closures are one of the best parts of PHP 5.3. At first I wasn’t very excited about them. I use closures constantly in Javascript but in a stateless HTTP request situation they appear less useful. But then I got into it. They are improved methods of dealing with lambda-functions. In other words, they are functions that are nameless and can be assigned to variables. In actuality they are classes.

<?phpi
$y = 10;
$x = function($number) use ( &$y ) {
  return $number * $y;
};
$y = 100;
echo $x(8); // Output: 800
?>

This is the point at which a lot of PHP programmers would pause. Did I say they are classes? Since when can you call a class like it was a function? Since PHP 5.3 you can! . You do it by defining the “_invoke” magic method. Like so:

<?php
class testInvoke {
  public function __invoke( $x ) { echo "Hello $x"; }
};
$x = new TestInvoke();
echo $x('world'); // outputs "Hello World"
?>

This is by far one of the coolest new features in PHP 5.3. It opens a whole new world of possibilities for clean / manageable code.

Bonus Things

5.1. New magic method for matching calls to static methods

For a while now we have been able to define the magic method “__call” in our classes that will be executed if you try to call a method in a class instance that does not exist. Now the “__callStatic” method does the same thing only for methods of static classes.

5.2. Late static binding

Late static binding is a long time coming. In fact, this has tripped me up in several projects. In simplest terms late binding is waiting to determine what object a method or member variable belongs to until it is called. Late static binding in PHP, as its name indicates, applies this concept to static methods and members variables in PHP. The PHP.net website bests describes in on the manual page for late static binding.

5.3. E_DEPRECATED

Here is a tip for everyone: if you are developing open source PHP software you should develop it in E_STRICT mode. This new E_DEPRECATED flag is actually part of E_ALL which sends a strong message that you shouldn’t be using these depreciated functions. I am a huge fan of anything that helps us write better code.

I hope everyone got through this post just fine. It is a long one. Leave comments (the comment section is OpenID enabled).

Flex form with drop shadow header

It seems easy enough so let’s give this a try:

<mx:Style>
HBox {
  paddingTop: 5;
  paddingBottom: 5;
  paddingLeft: 5;
  paddingRight: 5;
  dropShadowEnabled: true;
}
</mx:Style>

Usually the dropShadowEnabled: true would be enough but in this case you may be surprised if you put the above style into an MXML file with an HBox in it. Drop shadows don’t work on HBox components without some more tweaking. They don’t work for VBox, FormItem, Canvas, Grid, and Tile either. But dropShadowEnabled works beautifully to create Flex drop shadows on a component like TextInput.

What sets TextInput apart? It has a border by default. That is the key. Put borderStyle: solid in our style sheet then all the sudden our HBox has a drop shadow. Unfortunately it also has a nice one pixel border as well. To fix that we can set the borderThickness to zero and you’re done.

<mx:Style>
HBox {
  paddingTop: 5;
  paddingBottom: 5;
  paddingLeft: 5;
  paddingRight: 5;
  dropShadowEnabled: true;
  borderThickness: 0;
  borderStyle: solid;
}
</mx:Style>

Quick Two Point Summary

• Drop shadows will be hidden if the component doesn’t have a border.
• The border can be zero pixels.