Updated the handling of response status codes

Improved API integrity by blocking the ability to set invalid status codes according to the HTTP spec. This includes any non-numeric codes, or any code that is greater or less than 3 digits in length (100-999 being the accepted range).
This commit is contained in:
James Watts 2013-08-10 13:30:02 +02:00
parent 4b2117501e
commit 2ce2a2aaa9

View file

@ -618,7 +618,7 @@ class CakeResponse {
* Sets the HTTP status code to be sent
* if $code is null the current code is returned
*
* @param integer $code
* @param integer $code the HTTP status code
* @return integer current status code
* @throws CakeException When an unknown status code is reached.
*/
@ -636,30 +636,46 @@ class CakeResponse {
* Queries & sets valid HTTP response codes & messages.
*
* @param integer|array $code If $code is an integer, then the corresponding code/message is
* returned if it exists, null if it does not exist. If $code is an array,
* then the 'code' and 'message' keys of each nested array are added to the default
* HTTP codes. Example:
* returned if it exists, null if it does not exist. If $code is an array, then the
* keys are used as codes and the values as messages to add to the default HTTP
* codes. The codes must be integers greater than 99 and less than 1000. Keep in
* mind that the HTTP specification outlines that status codes begin with a digit
* between 1 and 5, which defines the class of response the client is to expect.
* Example:
*
* httpCodes(404); // returns array(404 => 'Not Found')
*
* httpCodes(array(
* 701 => 'Unicorn Moved',
* 800 => 'Unexpected Minotaur'
* 381 => 'Unicorn Moved',
* 555 => 'Unexpected Minotaur'
* )); // sets these new values, and returns true
*
* httpCodes(array(
* 0 => 'Nothing Here',
* -1 => 'Reverse Infinity',
* 12345 => 'Universal Password',
* 'Hello' => 'World'
* )); // throws an error due to invalid codes
*
* For more on HTTP status codes see: http://www.w3.org/Protocols/rfc2616/rfc2616-sec6.html#sec6.1
*
* @return mixed associative array of the HTTP codes as keys, and the message
* strings as values, or null of the given $code does not exist.
* @throws CakeException If an attempt is made to add an invalid status code
*/
public function httpCodes($code = null) {
if (empty($code)) {
return $this->_statusCodes;
}
if (is_array($code)) {
$codes = array_keys($code);
$min = min($codes);
if (!is_int($min) || $min < 100 || max($codes) > 999) {
throw new CakeException(__d('cake_dev', 'Invalid status code'));
}
$this->_statusCodes = $code + $this->_statusCodes;
return true;
}
if (!isset($this->_statusCodes[$code])) {
return null;
}