From 2ce2a2aaa986d063746da3ef937d85360a466eb5 Mon Sep 17 00:00:00 2001 From: James Watts Date: Sat, 10 Aug 2013 13:30:02 +0200 Subject: [PATCH] Updated the handling of response status codes Improved API integrity by blocking the ability to set invalid status codes according to the HTTP spec. This includes any non-numeric codes, or any code that is greater or less than 3 digits in length (100-999 being the accepted range). --- lib/Cake/Network/CakeResponse.php | 34 +++++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 9 deletions(-) diff --git a/lib/Cake/Network/CakeResponse.php b/lib/Cake/Network/CakeResponse.php index eb002788a..7e261532f 100644 --- a/lib/Cake/Network/CakeResponse.php +++ b/lib/Cake/Network/CakeResponse.php @@ -618,7 +618,7 @@ class CakeResponse { * Sets the HTTP status code to be sent * if $code is null the current code is returned * - * @param integer $code + * @param integer $code the HTTP status code * @return integer current status code * @throws CakeException When an unknown status code is reached. */ @@ -635,31 +635,47 @@ class CakeResponse { /** * Queries & sets valid HTTP response codes & messages. * - * @param integer|array $code If $code is an integer, then the corresponding code/message is - * returned if it exists, null if it does not exist. If $code is an array, - * then the 'code' and 'message' keys of each nested array are added to the default - * HTTP codes. Example: + * @param integer|array $code If $code is an integer, then the corresponding code/message is + * returned if it exists, null if it does not exist. If $code is an array, then the + * keys are used as codes and the values as messages to add to the default HTTP + * codes. The codes must be integers greater than 99 and less than 1000. Keep in + * mind that the HTTP specification outlines that status codes begin with a digit + * between 1 and 5, which defines the class of response the client is to expect. + * Example: * * httpCodes(404); // returns array(404 => 'Not Found') * * httpCodes(array( - * 701 => 'Unicorn Moved', - * 800 => 'Unexpected Minotaur' + * 381 => 'Unicorn Moved', + * 555 => 'Unexpected Minotaur' * )); // sets these new values, and returns true * + * httpCodes(array( + * 0 => 'Nothing Here', + * -1 => 'Reverse Infinity', + * 12345 => 'Universal Password', + * 'Hello' => 'World' + * )); // throws an error due to invalid codes + * + * For more on HTTP status codes see: http://www.w3.org/Protocols/rfc2616/rfc2616-sec6.html#sec6.1 + * * @return mixed associative array of the HTTP codes as keys, and the message * strings as values, or null of the given $code does not exist. + * @throws CakeException If an attempt is made to add an invalid status code */ public function httpCodes($code = null) { if (empty($code)) { return $this->_statusCodes; } - if (is_array($code)) { + $codes = array_keys($code); + $min = min($codes); + if (!is_int($min) || $min < 100 || max($codes) > 999) { + throw new CakeException(__d('cake_dev', 'Invalid status code')); + } $this->_statusCodes = $code + $this->_statusCodes; return true; } - if (!isset($this->_statusCodes[$code])) { return null; }