From 056f24a77428ad35e23cab6840a72b7c25c4ccc0 Mon Sep 17 00:00:00 2001 From: mark_story Date: Wed, 5 Aug 2015 23:05:30 -0400 Subject: [PATCH] Forbid direct prefix access with mixed casing. Changing the casing up should not allow prefix method access. --- lib/Cake/Controller/Controller.php | 4 ++-- .../Test/Case/Controller/ControllerTest.php | 19 +++++++++++++++++++ 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/lib/Cake/Controller/Controller.php b/lib/Cake/Controller/Controller.php index 8cd10fdf1..78381e90a 100644 --- a/lib/Cake/Controller/Controller.php +++ b/lib/Cake/Controller/Controller.php @@ -514,12 +514,12 @@ class Controller extends Object implements CakeEventListener { !$method->isPublic() || !in_array($method->name, $this->methods) ); - $prefixes = Router::prefixes(); + $prefixes = array_map('strtolower', Router::prefixes()); if (!$privateAction && !empty($prefixes)) { if (empty($request->params['prefix']) && strpos($request->params['action'], '_') > 0) { list($prefix) = explode('_', $request->params['action']); - $privateAction = in_array($prefix, $prefixes); + $privateAction = in_array(strtolower($prefix), $prefixes); } } return $privateAction; diff --git a/lib/Cake/Test/Case/Controller/ControllerTest.php b/lib/Cake/Test/Case/Controller/ControllerTest.php index 534825e37..f319bd167 100644 --- a/lib/Cake/Test/Case/Controller/ControllerTest.php +++ b/lib/Cake/Test/Case/Controller/ControllerTest.php @@ -1447,6 +1447,25 @@ class ControllerTest extends CakeTestCase { $Controller->invokeAction($url); } +/** + * test invoking controller methods. + * + * @expectedException PrivateActionException + * @expectedExceptionMessage Private Action TestController::Admin_add() is not directly accessible. + * @return void + */ + public function testInvokeActionPrefixProtectionCasing() { + Router::reload(); + Router::connect('/admin/:controller/:action/*', array('prefix' => 'admin')); + + $url = new CakeRequest('test/Admin_add/'); + $url->addParams(array('controller' => 'test_controller', 'action' => 'Admin_add')); + $response = $this->getMock('CakeResponse'); + + $Controller = new TestController($url, $response); + $Controller->invokeAction($url); + } + /** * test invoking controller methods. *