ZF-12094: Critical injection-possibility with InArray-validation (false positive)


The automatic inArray validator when using multioptions is vulnerable to string-injection if one of the values in the multioption array is 0. With the code below I would be able to inject any string as value due to (int)'string' resulting in 0 and therefore is accepted by in_array.

More info about this issue at…

            'method'  => 'post',
            'elements'    => array(
                'sex' => array('select', array(
                    'label'         => 'Sex',
                    'required'      => true,
                    'multioptions'   => array(
                        ''              => 'Select',
                        0               => 'Male',
                        1               => 'Female',

Forcing the values in the haystack to strings fixes this issue (Note: Forcing them in the multioptions array have no effect).

                    'validators' => array(
                        array('InArray', false, array(array((string)0, (string)1)))

Enabling strict checking will not work as the haystack contains integers while the needle from the POST-data is a string.

                    'validators' => array(
                        array('InArray', false, array(array(0, 1), 'strict'))

As the browser sends back the POST-data as strings I would recommend to alter Zend_Validate_InArray::isValid() to force the haystack values to be strings.


Same type of bug as reported in ZF-11812, different location.

What is the best course of action here? Should we modify the InArray validator in the method specified?

After 1.12 as not sure what the implications of this change are.