Merge pull request #8075 from cakephp/security-method-2x

Backport SecurityComponent fixes from #8071 to 2.x
This commit is contained in:
Mark Story 2016-01-21 18:56:21 -05:00
commit 109d604c79
2 changed files with 32 additions and 24 deletions

View file

@ -224,7 +224,7 @@ class SecurityComponent extends Component {
$this->_secureRequired($controller); $this->_secureRequired($controller);
$this->_authRequired($controller); $this->_authRequired($controller);
$isPost = $this->request->is(array('post', 'put')); $hasData = !empty($this->request->data);
$isNotRequestAction = ( $isNotRequestAction = (
!isset($controller->request->params['requested']) || !isset($controller->request->params['requested']) ||
$controller->request->params['requested'] != 1 $controller->request->params['requested'] != 1
@ -234,7 +234,7 @@ class SecurityComponent extends Component {
return $this->blackHole($controller, 'auth'); return $this->blackHole($controller, 'auth');
} }
if (!in_array($this->_action, (array)$this->unlockedActions) && $isPost && $isNotRequestAction) { if (!in_array($this->_action, (array)$this->unlockedActions) && $hasData && $isNotRequestAction) {
if ($this->validatePost && $this->_validatePost($controller) === false) { if ($this->validatePost && $this->_validatePost($controller) === false) {
return $this->blackHole($controller, 'auth'); return $this->blackHole($controller, 'auth');
} }
@ -243,7 +243,7 @@ class SecurityComponent extends Component {
} }
} }
$this->generateToken($controller->request); $this->generateToken($controller->request);
if ($isPost && is_array($controller->request->data)) { if ($hasData && is_array($controller->request->data)) {
unset($controller->request->data['_Token']); unset($controller->request->data['_Token']);
} }
} }

View file

@ -330,19 +330,23 @@ class SecurityComponentTest extends CakeTestCase {
*/ */
public function testRequireAuthSucceed() { public function testRequireAuthSucceed() {
$_SERVER['REQUEST_METHOD'] = 'AUTH'; $_SERVER['REQUEST_METHOD'] = 'AUTH';
$this->Controller->Security->unlockedActions = array('posted');
$this->Controller->request['action'] = 'posted'; $this->Controller->request['action'] = 'posted';
$this->Controller->Security->requireAuth('posted'); $this->Controller->Security->requireAuth('posted');
$this->Controller->Security->startup($this->Controller); $this->Controller->Security->startup($this->Controller);
$this->assertFalse($this->Controller->failed); $this->assertFalse($this->Controller->failed);
$this->Controller->Security->Session->write('_Token', array( $this->Controller->Security->Session->write('_Token', array(
'allowedControllers' => array('SecurityTest'), 'allowedActions' => array('posted') 'allowedControllers' => array('SecurityTest'),
'allowedActions' => array('posted')
)); ));
$this->Controller->request['controller'] = 'SecurityTest'; $this->Controller->request['controller'] = 'SecurityTest';
$this->Controller->request['action'] = 'posted'; $this->Controller->request['action'] = 'posted';
$this->Controller->request->data = array( $this->Controller->request->data = array(
'username' => 'willy', 'password' => 'somePass', '_Token' => '' 'username' => 'willy',
'password' => 'somePass',
'_Token' => ''
); );
$this->Controller->action = 'posted'; $this->Controller->action = 'posted';
$this->Controller->Security->requireAuth('posted'); $this->Controller->Security->requireAuth('posted');
@ -480,6 +484,29 @@ class SecurityComponentTest extends CakeTestCase {
$this->assertFalse($this->Controller->failed); $this->assertFalse($this->Controller->failed);
} }
/**
* Test that validatePost fires on GET with request data.
* This could happen when method overriding is used.
*
* @return void
* @triggers Controller.startup $this->Controller
*/
public function testValidatePostOnGetWithData() {
$_SERVER['REQUEST_METHOD'] = 'GET';
$this->Controller->Security->startup($this->Controller);
$fields = 'an-invalid-token';
$unlocked = '';
$this->Controller->request->data = [
'Model' => array('username' => 'nate', 'password' => 'foo', 'valid' => '0'),
'_Token' => compact('fields', 'unlocked')
];
$this->assertFalse($this->Controller->failed, 'Should not be failed yet');
$this->Controller->Security->startup($this->Controller);
$this->assertTrue($this->Controller->failed, 'Should fail because of validatePost.');
}
/** /**
* Simple hash validation test * Simple hash validation test
* *
@ -1230,11 +1257,6 @@ class SecurityComponentTest extends CakeTestCase {
$this->Security->Session->write('_Token.csrfTokens', array('nonce1' => strtotime('+10 minutes'))); $this->Security->Session->write('_Token.csrfTokens', array('nonce1' => strtotime('+10 minutes')));
$this->Controller->request = $this->getMock('CakeRequest', array('is'));
$this->Controller->request->expects($this->once())->method('is')
->with(array('post', 'put'))
->will($this->returnValue(true));
$this->Controller->request->params['action'] = 'index'; $this->Controller->request->params['action'] = 'index';
$this->Controller->request->data = array( $this->Controller->request->data = array(
'_Token' => array( '_Token' => array(
@ -1299,11 +1321,6 @@ class SecurityComponentTest extends CakeTestCase {
$this->Security->Session->write('_Token.csrfTokens', array('nonce1' => strtotime('+10 minutes'))); $this->Security->Session->write('_Token.csrfTokens', array('nonce1' => strtotime('+10 minutes')));
$this->Controller->request = $this->getMock('CakeRequest', array('is'));
$this->Controller->request->expects($this->once())->method('is')
->with(array('post', 'put'))
->will($this->returnValue(true));
$this->Controller->request->params['action'] = 'index'; $this->Controller->request->params['action'] = 'index';
$this->Controller->request->data = array( $this->Controller->request->data = array(
'_Token' => array( '_Token' => array(
@ -1329,11 +1346,6 @@ class SecurityComponentTest extends CakeTestCase {
$this->Security->Session->write('_Token.csrfTokens', array('nonce1' => strtotime('-5 minutes'))); $this->Security->Session->write('_Token.csrfTokens', array('nonce1' => strtotime('-5 minutes')));
$this->Controller->request = $this->getMock('CakeRequest', array('is'));
$this->Controller->request->expects($this->once())->method('is')
->with(array('post', 'put'))
->will($this->returnValue(true));
$this->Controller->request->params['action'] = 'index'; $this->Controller->request->params['action'] = 'index';
$this->Controller->request->data = array( $this->Controller->request->data = array(
'_Token' => array( '_Token' => array(
@ -1386,10 +1398,6 @@ class SecurityComponentTest extends CakeTestCase {
$this->Security->Session->write('_Token.csrfTokens', array('nonce1' => strtotime('+10 minutes'))); $this->Security->Session->write('_Token.csrfTokens', array('nonce1' => strtotime('+10 minutes')));
$this->Controller->request = $this->getMock('CakeRequest', array('is')); $this->Controller->request = $this->getMock('CakeRequest', array('is'));
$this->Controller->request->expects($this->once())->method('is')
->with(array('post', 'put'))
->will($this->returnValue(true));
$this->Controller->request->params['action'] = 'index'; $this->Controller->request->params['action'] = 'index';
$this->Controller->request->data = array( $this->Controller->request->data = array(
'_Token' => array( '_Token' => array(