From f3e590acfbcd75dc505c10edfd7433efd895153f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc=20W=C3=BCrth?= Date: Tue, 11 Aug 2015 16:29:48 +0200 Subject: [PATCH 01/14] Annotate test coverage --- lib/Cake/Test/Case/Utility/CakeTextTest.php | 45 ++++++++++++++++++++- 1 file changed, 43 insertions(+), 2 deletions(-) diff --git a/lib/Cake/Test/Case/Utility/CakeTextTest.php b/lib/Cake/Test/Case/Utility/CakeTextTest.php index 7eface6e9..2e085c39a 100644 --- a/lib/Cake/Test/Case/Utility/CakeTextTest.php +++ b/lib/Cake/Test/Case/Utility/CakeTextTest.php @@ -19,17 +19,28 @@ App::uses('CakeText', 'Utility'); /** - * CakeTextTest class + * CakeText Tests * - * @package Cake.Test.Case.Utility + * @package Cake.Test.Case.Utility + * @coversDefaultClass CakeText */ class CakeTextTest extends CakeTestCase { +/** + * Setup object under test + * + * @return void + */ public function setUp() { parent::setUp(); $this->Text = new CakeText(); } +/** + * Tear down object under test + * + * @return void + */ public function tearDown() { parent::tearDown(); unset($this->Text); @@ -39,6 +50,7 @@ class CakeTextTest extends CakeTestCase { * testUuidGeneration method * * @return void + * @covers ::uuid */ public function testUuidGeneration() { $result = CakeText::uuid(); @@ -51,6 +63,7 @@ class CakeTextTest extends CakeTestCase { * testMultipleUuidGeneration method * * @return void + * @covers ::uuid */ public function testMultipleUuidGeneration() { $check = array(); @@ -70,6 +83,7 @@ class CakeTextTest extends CakeTestCase { * testInsert method * * @return void + * @covers ::insert */ public function testInsert() { $string = 'some string'; @@ -231,6 +245,7 @@ class CakeTextTest extends CakeTestCase { * test Clean Insert * * @return void + * @covers ::cleanInsert */ public function testCleanInsert() { $result = CakeText::cleanInsert(':incomplete', array( @@ -271,6 +286,7 @@ class CakeTextTest extends CakeTestCase { * CakeText::insert(). * * @return void + * @covers ::insert */ public function testAutoIgnoreBadInsertData() { $data = array('foo' => 'alpha', 'bar' => 'beta', 'fale' => array()); @@ -282,6 +298,7 @@ class CakeTextTest extends CakeTestCase { * testTokenize method * * @return void + * @covers ::tokenize */ public function testTokenize() { $result = CakeText::tokenize('A,(short,boring test)'); @@ -318,6 +335,7 @@ class CakeTextTest extends CakeTestCase { * testReplaceWithQuestionMarkInString method * * @return void + * @covers ::insert */ public function testReplaceWithQuestionMarkInString() { $string = ':a, :b and :c?'; @@ -331,6 +349,8 @@ class CakeTextTest extends CakeTestCase { * * @dataProvider wordWrapProvider * @return void + * @covers ::wordWrap + * @covers ::_wordWrap */ public function testWordWrap($text, $width, $break = "\n", $cut = false) { $result = CakeText::wordWrap($text, $width, $break, $cut); @@ -364,6 +384,8 @@ class CakeTextTest extends CakeTestCase { * test that wordWrap() properly handle unicode strings. * * @return void + * @covers ::wordWrap + * @covers ::_wordWrap */ public function testWordWrapUnicodeAware() { $text = 'Но вим омниюм факёльиси элыктрам, мюнырэ лэгыры векж ыт. Выльёт квюандо нюмквуам ты кюм. Зыд эю рыбюм.'; @@ -391,6 +413,8 @@ TEXT; * test that wordWrap() properly handle newline characters. * * @return void + * @covers ::wordWrap + * @covers ::_wordWrap */ public function testWordWrapNewlineAware() { $text = 'This is a line that is almost the 55 chars long. @@ -408,6 +432,9 @@ TEXT; * test wrap method. * * @return void + * @covers ::wrap + * @covers ::wordWrap + * @covers ::_wordWrap */ public function testWrap() { $text = 'This is the song that never ends. This is the song that never ends. This is the song that never ends.'; @@ -443,6 +470,9 @@ TEXT; * test wrap() indenting * * @return void + * @covers ::wrap + * @covers ::wordWrap + * @covers ::_wordWrap */ public function testWrapIndent() { $text = 'This is the song that never ends. This is the song that never ends. This is the song that never ends.'; @@ -459,6 +489,7 @@ TEXT; * testTruncate method * * @return void + * @covers ::truncate */ public function testTruncate() { $text1 = 'The quick brown fox jumps over the lazy dog'; @@ -564,6 +595,7 @@ podeís adquirirla.

* testTruncate method with non utf8 sites * * @return void + * @covers ::truncate */ public function testTruncateLegacy() { Configure::write('App.encoding', 'ISO-8859-1'); @@ -587,6 +619,7 @@ podeís adquirirla.

* testTail method * * @return void + * @covers ::tail */ public function testTail() { $text1 = 'The quick brown fox jumps over the lazy dog'; @@ -630,6 +663,7 @@ podeís adquirirla.

* testHighlight method * * @return void + * @covers ::highlight */ public function testHighlight() { $text = 'This is a test text'; @@ -664,6 +698,7 @@ podeís adquirirla.

* testHighlightHtml method * * @return void + * @covers ::highlight */ public function testHighlightHtml() { $text1 = '

strongbow isn’t real cider

'; @@ -690,6 +725,7 @@ podeís adquirirla.

* testHighlightMulti method * * @return void + * @covers ::highlight */ public function testHighlightMulti() { $text = 'This is a test text'; @@ -703,6 +739,7 @@ podeís adquirirla.

* testStripLinks method * * @return void + * @covers ::stripLinks */ public function testStripLinks() { $text = 'This is a test text'; @@ -730,6 +767,7 @@ podeís adquirirla.

* testHighlightCaseInsensitivity method * * @return void + * @covers ::highlight */ public function testHighlightCaseInsensitivity() { $text = 'This is a Test text'; @@ -746,6 +784,7 @@ podeís adquirirla.

* testExcerpt method * * @return void + * @covers ::excerpt */ public function testExcerpt() { $text = 'This is a phrase with test text to play with'; @@ -786,6 +825,7 @@ podeís adquirirla.

* testExcerptCaseInsensitivity method * * @return void + * @covers ::excerpt */ public function testExcerptCaseInsensitivity() { $text = 'This is a phrase with test text to play with'; @@ -803,6 +843,7 @@ podeís adquirirla.

* testListGeneration method * * @return void + * @covers ::toList */ public function testListGeneration() { $result = $this->Text->toList(array()); From 90a77f6ce5b6b6b39c9d643a79f43ec99143c383 Mon Sep 17 00:00:00 2001 From: James Tancock Date: Sun, 16 Aug 2015 19:06:12 +0100 Subject: [PATCH 02/14] Alter model exists to consider useTable --- lib/Cake/Model/Model.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/Cake/Model/Model.php b/lib/Cake/Model/Model.php index bfce2dd41..124bb394a 100644 --- a/lib/Cake/Model/Model.php +++ b/lib/Cake/Model/Model.php @@ -2895,6 +2895,10 @@ class Model extends Object implements CakeEventListener { return false; } + if ($this->useTable === false) { + return true; + } + return (bool)$this->find('count', array( 'conditions' => array( $this->alias . '.' . $this->primaryKey => $id From 0df7bcd26dd26788e46c976861a2f86ba7ffea60 Mon Sep 17 00:00:00 2001 From: mattmemmesheimer Date: Sun, 16 Aug 2015 17:55:03 -0500 Subject: [PATCH 03/14] Adding Flash element template files. --- lib/Cake/View/Elements/Flash/default.ctp | 8 +++++++- lib/Cake/View/Elements/Flash/error.ctp | 1 + lib/Cake/View/Elements/Flash/success.ctp | 1 + 3 files changed, 9 insertions(+), 1 deletion(-) mode change 100644 => 100755 lib/Cake/View/Elements/Flash/default.ctp create mode 100755 lib/Cake/View/Elements/Flash/error.ctp create mode 100755 lib/Cake/View/Elements/Flash/success.ctp diff --git a/lib/Cake/View/Elements/Flash/default.ctp b/lib/Cake/View/Elements/Flash/default.ctp old mode 100644 new mode 100755 index ce0f61355..bc1e2c369 --- a/lib/Cake/View/Elements/Flash/default.ctp +++ b/lib/Cake/View/Elements/Flash/default.ctp @@ -1 +1,7 @@ -
\ No newline at end of file + +
diff --git a/lib/Cake/View/Elements/Flash/error.ctp b/lib/Cake/View/Elements/Flash/error.ctp new file mode 100755 index 000000000..6d6f27e6d --- /dev/null +++ b/lib/Cake/View/Elements/Flash/error.ctp @@ -0,0 +1 @@ +
diff --git a/lib/Cake/View/Elements/Flash/success.ctp b/lib/Cake/View/Elements/Flash/success.ctp new file mode 100755 index 000000000..4a375e60f --- /dev/null +++ b/lib/Cake/View/Elements/Flash/success.ctp @@ -0,0 +1 @@ +
From 604cb0e48bda36547ddad969fa391ded5fab3705 Mon Sep 17 00:00:00 2001 From: mattmemmesheimer Date: Sun, 16 Aug 2015 17:58:41 -0500 Subject: [PATCH 04/14] Including the FlashComponent by default in the controller when baking. --- lib/Cake/Console/Command/Task/ControllerTask.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/Cake/Console/Command/Task/ControllerTask.php b/lib/Cake/Console/Command/Task/ControllerTask.php index 728358d66..fc2d91343 100644 --- a/lib/Cake/Console/Command/Task/ControllerTask.php +++ b/lib/Cake/Console/Command/Task/ControllerTask.php @@ -384,9 +384,9 @@ class ControllerTask extends BakeTask { * @return array Components the user wants to use. */ public function doComponents() { - $components = array('Paginator'); + $components = array('Paginator', 'Flash'); return array_merge($components, $this->_doPropertyChoices( - __d('cake_console', "Would you like this controller to use other components\nbesides PaginatorComponent?"), + __d('cake_console', "Would you like this controller to use other components\nbesides PaginatorComponent and FlashComponent?"), __d('cake_console', "Please provide a comma separated list of the component names you'd like to use.\nExample: 'Acl, Security, RequestHandler'") )); } From d3cf879195a52b45b27d18674edde0d3c55c615c Mon Sep 17 00:00:00 2001 From: mattmemmesheimer Date: Sun, 16 Aug 2015 18:01:23 -0500 Subject: [PATCH 05/14] Updating deprecated SessionComponent::setFlash calls to FlashComponent magic calls. --- .../Templates/default/actions/controller_actions.ctp | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/Cake/Console/Templates/default/actions/controller_actions.ctp b/lib/Cake/Console/Templates/default/actions/controller_actions.ctp index b6b89a993..dfc309215 100644 --- a/lib/Cake/Console/Templates/default/actions/controller_actions.ctp +++ b/lib/Cake/Console/Templates/default/actions/controller_actions.ctp @@ -53,10 +53,10 @@ $this->->create(); if ($this->->save($this->request->data)) { - $this->Session->setFlash(__('The has been saved.')); + $this->Flash->success(__('The has been saved.')); return $this->redirect(array('action' => 'index')); } else { - $this->Session->setFlash(__('The could not be saved. Please, try again.')); + $this->Flash->error(__('The could not be saved. Please, try again.')); return $this->flash(__('The has been saved.'), array('action' => 'index')); @@ -94,10 +94,10 @@ if ($this->request->is(array('post', 'put'))) { if ($this->->save($this->request->data)) { - $this->Session->setFlash(__('The has been saved.')); + $this->Flash->success(__('The has been saved.')); return $this->redirect(array('action' => 'index')); } else { - $this->Session->setFlash(__('The could not be saved. Please, try again.')); + $this->Flash->error(__('The could not be saved. Please, try again.')); return $this->flash(__('The has been saved.'), array('action' => 'index')); @@ -138,9 +138,9 @@ $this->request->allowMethod('post', 'delete'); if ($this->->delete()) { - $this->Session->setFlash(__('The has been deleted.')); + $this->Flash->success(__('The has been deleted.')); } else { - $this->Session->setFlash(__('The could not be deleted. Please, try again.')); + $this->Flash->error(__('The could not be deleted. Please, try again.')); } return $this->redirect(array('action' => 'index')); From fd198ce0fa13b0dc72168f1ad33fcecdf341bd90 Mon Sep 17 00:00:00 2001 From: James Tancock Date: Mon, 17 Aug 2015 12:19:02 +0100 Subject: [PATCH 06/14] Edits to tests to cover the changes to Model::exists --- .../Test/Case/Model/ModelValidationTest.php | 38 +++++++++++++++++++ lib/Cake/Test/Case/Model/ModelWriteTest.php | 11 +----- 2 files changed, 39 insertions(+), 10 deletions(-) diff --git a/lib/Cake/Test/Case/Model/ModelValidationTest.php b/lib/Cake/Test/Case/Model/ModelValidationTest.php index ba81c7199..0edd3fe5f 100644 --- a/lib/Cake/Test/Case/Model/ModelValidationTest.php +++ b/lib/Cake/Test/Case/Model/ModelValidationTest.php @@ -554,6 +554,44 @@ class ModelValidationTest extends BaseModelTest { $this->assertEquals($expected, $result); } +/** + * test that validates() still performs correctly when useTable = false on the mode. + * + * @return void + */ + public function testValidatesWithNoTable() { + $TestModel = new TheVoid(); + $TestModel->validate = array( + 'title' => array( + 'notEmpty' => array( + 'rule' => array('notBlank'), + 'required' => true, + ), + 'tooShort' => array( + 'rule' => array('minLength', 10), + ), + ), + ); + $data = array( + 'TheVoid' => array( + 'title' => 'too short', + ), + ); + $TestModel->create($data); + $result = $TestModel->validates(); + $this->assertFalse($result); + + $data = array( + 'TheVoid' => array( + 'id' => '1', + 'title' => 'A good title', + ), + ); + $TestModel->create($data); + $result = $TestModel->validates(); + $this->assertTrue($result); + } + /** * test that validates() checks all the 'with' associations as well for validation * as this can cause partial/wrong data insertion. diff --git a/lib/Cake/Test/Case/Model/ModelWriteTest.php b/lib/Cake/Test/Case/Model/ModelWriteTest.php index 9ad34df01..63b22ab6c 100644 --- a/lib/Cake/Test/Case/Model/ModelWriteTest.php +++ b/lib/Cake/Test/Case/Model/ModelWriteTest.php @@ -2785,18 +2785,9 @@ class ModelWriteTest extends BaseModelTest { $TestModel = new TheVoid(); $this->assertFalse($TestModel->exists()); - } -/** - * testRecordExistsMissingTable method - * - * @expectedException PDOException - * @return void - */ - public function testRecordExistsMissingTable() { - $TestModel = new TheVoid(); $TestModel->id = 5; - $TestModel->exists(); + $this->assertTrue($TestModel->exists()); } /** From 2f7cc052d25af0b84734a76970b1f3c5c51835d4 Mon Sep 17 00:00:00 2001 From: James Tancock Date: Mon, 17 Aug 2015 13:15:35 +0100 Subject: [PATCH 07/14] Typo in tests docblock --- lib/Cake/Test/Case/Model/ModelValidationTest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/Cake/Test/Case/Model/ModelValidationTest.php b/lib/Cake/Test/Case/Model/ModelValidationTest.php index 0edd3fe5f..bd65b16e9 100644 --- a/lib/Cake/Test/Case/Model/ModelValidationTest.php +++ b/lib/Cake/Test/Case/Model/ModelValidationTest.php @@ -555,7 +555,7 @@ class ModelValidationTest extends BaseModelTest { } /** - * test that validates() still performs correctly when useTable = false on the mode. + * test that validates() still performs correctly when useTable = false on the model. * * @return void */ From fdb41e01bbe9f8dbb96d4d506f7faba5d0b77c23 Mon Sep 17 00:00:00 2001 From: James Tancock Date: Tue, 18 Aug 2015 13:07:30 +0100 Subject: [PATCH 08/14] Alter Model::exists() to return false with no table --- lib/Cake/Model/Model.php | 2 +- lib/Cake/Test/Case/Model/ModelWriteTest.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/Cake/Model/Model.php b/lib/Cake/Model/Model.php index 124bb394a..9ded1b59e 100644 --- a/lib/Cake/Model/Model.php +++ b/lib/Cake/Model/Model.php @@ -2896,7 +2896,7 @@ class Model extends Object implements CakeEventListener { } if ($this->useTable === false) { - return true; + return false; } return (bool)$this->find('count', array( diff --git a/lib/Cake/Test/Case/Model/ModelWriteTest.php b/lib/Cake/Test/Case/Model/ModelWriteTest.php index 63b22ab6c..7974fa7cc 100644 --- a/lib/Cake/Test/Case/Model/ModelWriteTest.php +++ b/lib/Cake/Test/Case/Model/ModelWriteTest.php @@ -2787,7 +2787,7 @@ class ModelWriteTest extends BaseModelTest { $this->assertFalse($TestModel->exists()); $TestModel->id = 5; - $this->assertTrue($TestModel->exists()); + $this->assertFalse($TestModel->exists()); } /** From 5b92c900e6318e067e7f47df0ade8f92790642f2 Mon Sep 17 00:00:00 2001 From: James Tancock Date: Tue, 18 Aug 2015 13:32:16 +0100 Subject: [PATCH 09/14] Missing test fix ModelIntegration --- lib/Cake/Test/Case/Model/ModelIntegrationTest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/Cake/Test/Case/Model/ModelIntegrationTest.php b/lib/Cake/Test/Case/Model/ModelIntegrationTest.php index 1aacd7662..65ab2ad3a 100644 --- a/lib/Cake/Test/Case/Model/ModelIntegrationTest.php +++ b/lib/Cake/Test/Case/Model/ModelIntegrationTest.php @@ -1334,7 +1334,7 @@ class ModelIntegrationTest extends BaseModelTest { $Article->useTable = false; $Article->id = 1; $result = $Article->exists(); - $this->assertTrue($result); + $this->assertFalse($result); } /** From d4467f9acf42b0899a63bf4568c96ee442a481d1 Mon Sep 17 00:00:00 2001 From: mattmemmesheimer Date: Tue, 18 Aug 2015 22:14:10 -0500 Subject: [PATCH 10/14] Fixing unit tests. --- .../Case/Console/Command/Task/ControllerTaskTest.php | 6 +++--- .../bake_compare/Controller/ActionsUsingSessions.ctp | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/lib/Cake/Test/Case/Console/Command/Task/ControllerTaskTest.php b/lib/Cake/Test/Case/Console/Command/Task/ControllerTaskTest.php index ded7e9596..9d8c9e2b2 100644 --- a/lib/Cake/Test/Case/Console/Command/Task/ControllerTaskTest.php +++ b/lib/Cake/Test/Case/Console/Command/Task/ControllerTaskTest.php @@ -222,7 +222,7 @@ class ControllerTaskTest extends CakeTestCase { public function testDoComponentsNo() { $this->Task->expects($this->any())->method('in')->will($this->returnValue('n')); $result = $this->Task->doComponents(); - $this->assertSame(array('Paginator'), $result); + $this->assertSame(array('Paginator', 'Flash'), $result); } /** @@ -235,7 +235,7 @@ class ControllerTaskTest extends CakeTestCase { $this->Task->expects($this->at(1))->method('in')->will($this->returnValue(' RequestHandler, Security ')); $result = $this->Task->doComponents(); - $expected = array('Paginator', 'RequestHandler', 'Security'); + $expected = array('Paginator', 'Flash', 'RequestHandler', 'Security'); $this->assertEquals($expected, $result); } @@ -249,7 +249,7 @@ class ControllerTaskTest extends CakeTestCase { $this->Task->expects($this->at(1))->method('in')->will($this->returnValue(' RequestHandler, Security, , ')); $result = $this->Task->doComponents(); - $expected = array('Paginator', 'RequestHandler', 'Security'); + $expected = array('Paginator', 'Flash', 'RequestHandler', 'Security'); $this->assertEquals($expected, $result); } diff --git a/lib/Cake/Test/bake_compare/Controller/ActionsUsingSessions.ctp b/lib/Cake/Test/bake_compare/Controller/ActionsUsingSessions.ctp index 5cd6a4dee..b4072d770 100644 --- a/lib/Cake/Test/bake_compare/Controller/ActionsUsingSessions.ctp +++ b/lib/Cake/Test/bake_compare/Controller/ActionsUsingSessions.ctp @@ -33,10 +33,10 @@ if ($this->request->is('post')) { $this->BakeArticle->create(); if ($this->BakeArticle->save($this->request->data)) { - $this->Session->setFlash(__('The bake article has been saved.')); + $this->Flash->success(__('The bake article has been saved.')); return $this->redirect(array('action' => 'index')); } else { - $this->Session->setFlash(__('The bake article could not be saved. Please, try again.')); + $this->Flash->error(__('The bake article could not be saved. Please, try again.')); } } $bakeTags = $this->BakeArticle->BakeTag->find('list'); @@ -56,10 +56,10 @@ } if ($this->request->is(array('post', 'put'))) { if ($this->BakeArticle->save($this->request->data)) { - $this->Session->setFlash(__('The bake article has been saved.')); + $this->Flash->success(__('The bake article has been saved.')); return $this->redirect(array('action' => 'index')); } else { - $this->Session->setFlash(__('The bake article could not be saved. Please, try again.')); + $this->Flash->error(__('The bake article could not be saved. Please, try again.')); } } else { $options = array('conditions' => array('BakeArticle.' . $this->BakeArticle->primaryKey => $id)); @@ -83,9 +83,9 @@ } $this->request->allowMethod('post', 'delete'); if ($this->BakeArticle->delete()) { - $this->Session->setFlash(__('The bake article has been deleted.')); + $this->Flash->success(__('The bake article has been deleted.')); } else { - $this->Session->setFlash(__('The bake article could not be deleted. Please, try again.')); + $this->Flash->error(__('The bake article could not be deleted. Please, try again.')); } return $this->redirect(array('action' => 'index')); } From 8fe953548c65b85cf1a919709047fe273d932339 Mon Sep 17 00:00:00 2001 From: ndm2 Date: Wed, 19 Aug 2015 16:47:53 +0200 Subject: [PATCH 11/14] Fix path traversal check for Windows based systems On Windows based systems, both, backward as well as forward slashes are supported as path separators, thus checking for `DS` only, would allow to slip in `../` fragments. refs #5905, cad57dcc28ed9996b52e681ae06d62bc7b5c79c0 --- lib/Cake/Network/CakeResponse.php | 2 +- lib/Cake/Test/Case/Network/CakeResponseTest.php | 16 ++++++++++++++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/lib/Cake/Network/CakeResponse.php b/lib/Cake/Network/CakeResponse.php index 3c5a3c46a..a19299228 100644 --- a/lib/Cake/Network/CakeResponse.php +++ b/lib/Cake/Network/CakeResponse.php @@ -1337,7 +1337,7 @@ class CakeResponse { 'download' => null ); - if (strpos($path, '..' . DS) !== false) { + if (strpos($path, '../') !== false || strpos($path, '..\\') !== false) { throw new NotFoundException(__d( 'cake_dev', 'The requested file contains `..` and will not be read.' diff --git a/lib/Cake/Test/Case/Network/CakeResponseTest.php b/lib/Cake/Test/Case/Network/CakeResponseTest.php index 41e2eba07..6abe8c97b 100644 --- a/lib/Cake/Test/Case/Network/CakeResponseTest.php +++ b/lib/Cake/Test/Case/Network/CakeResponseTest.php @@ -1167,17 +1167,29 @@ class CakeResponseTest extends CakeTestCase { } /** - * test file with .. + * test file with ../ * * @expectedException NotFoundException * @expectedExceptionMessage The requested file contains `..` and will not be read. * @return void */ - public function testFileWithPathTraversal() { + public function testFileWithForwardSlashPathTraversal() { $response = new CakeResponse(); $response->file('my/../cat.gif'); } +/** + * test file with ..\ + * + * @expectedException NotFoundException + * @expectedExceptionMessage The requested file contains `..` and will not be read. + * @return void + */ + public function testFileWithBackwardSlashPathTraversal() { + $response = new CakeResponse(); + $response->file('my\..\cat.gif'); + } + /** * Although unlikely, a file may contain dots in its filename. * This should be allowed, as long as the dots doesn't specify a path (../ or ..\) From 7d5e6e3a3e3498c7ebfa004ba25f71f1283708b3 Mon Sep 17 00:00:00 2001 From: mattmemmesheimer Date: Wed, 19 Aug 2015 17:50:47 -0500 Subject: [PATCH 12/14] Reverting accidental chmod. --- lib/Cake/View/Elements/Flash/default.ctp | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 lib/Cake/View/Elements/Flash/default.ctp diff --git a/lib/Cake/View/Elements/Flash/default.ctp b/lib/Cake/View/Elements/Flash/default.ctp old mode 100755 new mode 100644 From 70feb52f73861ed3177b8eda0a957c375f811170 Mon Sep 17 00:00:00 2001 From: mattmemmesheimer Date: Thu, 20 Aug 2015 20:19:22 -0500 Subject: [PATCH 13/14] Changing the default layout to use FlashComponent::render instead of the deprecated SessionComponent::flash. Changing the flash elements to retain the id attribute that was previously present. Also fixing file permissions on the template files I added. --- app/View/Layouts/default.ctp | 2 +- lib/Cake/View/Elements/Flash/default.ctp | 2 +- lib/Cake/View/Elements/Flash/error.ctp | 2 +- lib/Cake/View/Elements/Flash/success.ctp | 2 +- lib/Cake/View/Helper/FlashHelper.php | 1 + 5 files changed, 5 insertions(+), 4 deletions(-) mode change 100755 => 100644 lib/Cake/View/Elements/Flash/error.ctp mode change 100755 => 100644 lib/Cake/View/Elements/Flash/success.ctp diff --git a/app/View/Layouts/default.ctp b/app/View/Layouts/default.ctp index fb4e9f36e..5815ead6e 100644 --- a/app/View/Layouts/default.ctp +++ b/app/View/Layouts/default.ctp @@ -42,7 +42,7 @@ $cakeVersion = __d('cake_dev', 'CakePHP %s', Configure::version())
- Session->flash(); ?> + Flash->render(); ?> fetch('content'); ?>
diff --git a/lib/Cake/View/Elements/Flash/default.ctp b/lib/Cake/View/Elements/Flash/default.ctp index bc1e2c369..3080c523a 100644 --- a/lib/Cake/View/Elements/Flash/default.ctp +++ b/lib/Cake/View/Elements/Flash/default.ctp @@ -4,4 +4,4 @@ if (!empty($params['class'])) { $class .= ' ' . $params['class']; } ?> -
+
diff --git a/lib/Cake/View/Elements/Flash/error.ctp b/lib/Cake/View/Elements/Flash/error.ctp old mode 100755 new mode 100644 index 6d6f27e6d..376456988 --- a/lib/Cake/View/Elements/Flash/error.ctp +++ b/lib/Cake/View/Elements/Flash/error.ctp @@ -1 +1 @@ -
+
diff --git a/lib/Cake/View/Elements/Flash/success.ctp b/lib/Cake/View/Elements/Flash/success.ctp old mode 100755 new mode 100644 index 4a375e60f..13932bd70 --- a/lib/Cake/View/Elements/Flash/success.ctp +++ b/lib/Cake/View/Elements/Flash/success.ctp @@ -1 +1 @@ -
+
diff --git a/lib/Cake/View/Helper/FlashHelper.php b/lib/Cake/View/Helper/FlashHelper.php index 46dc67ac4..058d19125 100644 --- a/lib/Cake/View/Helper/FlashHelper.php +++ b/lib/Cake/View/Helper/FlashHelper.php @@ -84,6 +84,7 @@ class FlashHelper extends AppHelper { $flash = $options + $flash; CakeSession::delete("Message.$key"); + $flash['key'] = $key; return $this->_View->element($flash['element'], $flash); } From 0df0f1a5592df6ece965b6029abea1e91340ceb1 Mon Sep 17 00:00:00 2001 From: mark_story Date: Thu, 20 Aug 2015 22:36:09 -0400 Subject: [PATCH 14/14] Don't use short tags. They are not broadly supported before PHP 5.4 and we should escape all the content the core templates output. --- lib/Cake/View/Elements/Flash/default.ctp | 2 +- lib/Cake/View/Elements/Flash/error.ctp | 2 +- lib/Cake/View/Elements/Flash/success.ctp | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/Cake/View/Elements/Flash/default.ctp b/lib/Cake/View/Elements/Flash/default.ctp index 3080c523a..820340ed4 100644 --- a/lib/Cake/View/Elements/Flash/default.ctp +++ b/lib/Cake/View/Elements/Flash/default.ctp @@ -4,4 +4,4 @@ if (!empty($params['class'])) { $class .= ' ' . $params['class']; } ?> -
+
diff --git a/lib/Cake/View/Elements/Flash/error.ctp b/lib/Cake/View/Elements/Flash/error.ctp index 376456988..278321458 100644 --- a/lib/Cake/View/Elements/Flash/error.ctp +++ b/lib/Cake/View/Elements/Flash/error.ctp @@ -1 +1 @@ -
+
diff --git a/lib/Cake/View/Elements/Flash/success.ctp b/lib/Cake/View/Elements/Flash/success.ctp index 13932bd70..dd2f8e528 100644 --- a/lib/Cake/View/Elements/Flash/success.ctp +++ b/lib/Cake/View/Elements/Flash/success.ctp @@ -1 +1 @@ -
+