1

I created a simple application to find scrabble valid words in Cakephp 4.2. It has several forms with a single input in which the user can write a word (or randomly sorted letters) and the application generates all possible anagrams for that word, o simply tells if the word is valid or not. Example:

<?php
    echo $this->Form->create();
    echo $this->Form->control('letters', ['label' => false,'encoding'=>'utf-8','div' => false,'class' => 'myClass','autofocus' => 'autofocus' ]);
    echo $this->Form->button(__('Find words'));
    echo $this->Form->end();
?>

Everything worked fine in development so I tried my app on the production server following deployment recommendations included in the Cookbook (https://book.cakephp.org/4/en/deployment.html). I activated FormProtection component (I am aware that the cookbook suggests using Security component, which is deprecated, and FormProtection should be used instead). I added "$this->loadComponent('FormProtection');" to my AppController.php file:

public function initialize(): void
    {
        parent::initialize();

        $this->loadComponent('RequestHandler');
        $this->loadComponent('Flash');

        /*
         * Enable the following component for recommended CakePHP form protection settings.
         * see https://book.cakephp.org/4/en/controllers/components/form-protection.html
         */
        $this->loadComponent('FormProtection');
    }

Again everything seemed to work fine, but I found out that the app throws the following error when my forms are submitted if the user leave them open for a while before submitting.

FROM ckdir/logs/error.log:

2021-02-28 02:28:24 Error: [Cake\Http\Exception\BadRequestException] Bad Request in /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakephp/cakephp/src/Controller/Component/FormProtectionComponent.php on line 143
Stack Trace:
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakephp/cakephp/src/Controller/Component/FormProtectionComponent.php:97
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakephp/cakephp/src/Event/EventManager.php:309
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakephp/cakephp/src/Event/EventManager.php:286
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakephp/cakephp/src/Event/EventDispatcherTrait.php:92
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakephp/cakephp/src/Controller/Controller.php:579
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakephp/cakephp/src/Controller/ControllerFactory.php:96
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakephp/cakephp/src/Http/BaseApplication.php:313
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakephp/cakephp/src/Http/Runner.php:77
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php:169
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakephp/cakephp/src/Http/Runner.php:73
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakephp/cakephp/src/Http/Middleware/BodyParserMiddleware.php:164
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakephp/cakephp/src/Http/Runner.php:73
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakephp/cakephp/src/Routing/Middleware/RoutingMiddleware.php:161
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakephp/cakephp/src/Http/Runner.php:73
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakephp/cakephp/src/Routing/Middleware/AssetMiddleware.php:68
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakephp/cakephp/src/Http/Runner.php:73
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakephp/cakephp/src/Error/Middleware/ErrorHandlerMiddleware.php:126
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakephp/cakephp/src/Http/Runner.php:73
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakephp/cakephp/src/Http/Runner.php:58
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakephp/cakephp/src/Http/Server.php:90
- /home3/anagrame/public_html/anagramador2/cakedir/webroot/index.php:40

Request URL: /anagramas/anagramador
Referer URL: http://example.com/anagramas/anagramador

This appears in the view after submitting with DEBUG enabled

So far I haven't found detailed directions on how to use/configure the component, but I understood (am I wrong?) this is somewhat standard behaviour. The form expires as submitting a form after a long time is considered suspicious. But this creates a poor experience for my users because, as a reference site, it is common for them to keep it open for long periods and use it only as necessary while playing live or online scrabble. The error page appears too often. They are forced to go back to homepage and then to the searching views.

So my questions are:

  1. Can that expiration time be extended? If I extend it, am I losing security?
  2. How bad would it be to disable the FormProtection component? My site doesn't requiere users to signup or login. It handles no sensitive data like names, emails, passwords... nothing except for words stored in the database. As far as I can tell, my previous version of the application has had no security issues before, even when I never cared much for it for 10 years.
Jesús Ortega
  • 11
  • 2
  • The form protection component, to my understanding, is there to prevent things like people doing replay attacks of form data that they somehow capture, or adding extra data to try to overwrite certain fields in your entities (if you haven't got "accessible" locked down), or changing the values of hidden fields (e.g. ids, to target a record they don't have permission on). I can't see how it would benefit anyone to do any of these attacks on an anagram server, and if you don't think they would apply to your application, it's probably okay to skip that component entirely. – Greg Schmidt Feb 28 '21 at 16:34
  • Sounds ok, then. Thanks, Greg! – Jesús Ortega Mar 02 '21 at 22:14

0 Answers0