Ensure that only the path and query are used to make the hash.

While including the entire protocol, host, port, path and query would be
even better in theory, it gets complicated when proxies and load
balancers are involved.

Fixes #3442

lib/Cake/Test/Case/View/Helper/FormHelperTest.php

@@ -1370,6 +1370,34 @@ class FormHelperTest extends CakeTestCase {
 		$this->assertEquals($expected, $this->Form->fields);
 	}
 
+/**
+ * Test that only the path + query elements of a form's URL show up in their hash.
+ *
+ * @return void
+ */
+	public function testSecuredFormUrlIgnoresHost() {
+		$this->Form->request['_Token'] = array('key' => 'testKey');
+
+		$expected = '5181b484c13caea4776618ed26a3aebbb026ecd8%3A';
+		$this->Form->create('Address', array(
+			'url' => array('controller' => 'articles', 'action' => 'view', 1, '?' => array('page' => 1))
+		));
+		$result = $this->Form->secure();
+		$this->assertContains($expected, $result);
+
+		$this->Form->create('Address', array('url' => 'http://localhost/articles/view/1?page=1'));
+		$result = $this->Form->secure();
+		$this->assertContains($expected, $result, 'Full URL should only use path and query.');
+
+		$this->Form->create('Address', array('url' => '/articles/view/1?page=1'));
+		$result = $this->Form->secure();
+		$this->assertContains($expected, $result, 'URL path + query should work.');
+
+		$this->Form->create('Address', array('url' => '/articles/view/1'));
+		$result = $this->Form->secure();
+		$this->assertNotContains($expected, $result, 'URL is different');
+	}
+
 /**
  * testDisableSecurityUsingForm method
  *

lib/Cake/View/Helper/FormHelper.php

@@ -466,7 +466,12 @@ class FormHelper extends AppHelper {
 			$this->setEntity($model, true);
 			$this->_introspectModel($model, 'fields');
 		}
-		$this->_lastAction = $action;
+		$query = parse_url($action, PHP_URL_QUERY);
+		if ($query) {
+			$query .= '?';
+		}
+		$this->_lastAction = parse_url($action, PHP_URL_PATH) . $query;
+
 		return $this->Html->useTag('form', $action, $htmlAttributes) . $append;
 	}