From 47eb4210917e65c7b7feef733809692794b63654 Mon Sep 17 00:00:00 2001
From: phpnut <phpnut@cakephp.org>
Date: Thu, 20 Mar 2008 07:17:37 +0000
Subject: [PATCH] "Adding fix to Auth::identity(); for errors thrown on invalid
 input. Added tests for invalid input. Debug is turned off in this area of
 code because of the CakePHP errors handling, messages could cause long delays
 and exception noticed when debug > 0."

git-svn-id: https://svn.cakephp.org/repo/branches/1.2.x.x@6593 3807eeeb-6ff5-0310-8944-8be069107fe0
---
 cake/libs/controller/components/auth.php      | 13 +++++++--
 .../libs/controller/components/auth.test.php  | 28 +++++++++++++++++++
 2 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/cake/libs/controller/components/auth.php b/cake/libs/controller/components/auth.php
index 07e4c918e..e5af3ad53 100644
--- a/cake/libs/controller/components/auth.php
+++ b/cake/libs/controller/components/auth.php
@@ -293,8 +293,8 @@ class AuthComponent extends Object {
 			}
 
 			$data = array(
-				$this->userModel . '.' . $this->fields['username'] => '= ' . $controller->data[$this->userModel][$this->fields['username']],
-				$this->userModel . '.' . $this->fields['password'] => '= ' . $controller->data[$this->userModel][$this->fields['password']]
+				$this->userModel . '.' . $this->fields['username'] => $controller->data[$this->userModel][$this->fields['username']],
+				$this->userModel . '.' . $this->fields['password'] => $controller->data[$this->userModel][$this->fields['password']]
 			);
 
 			if ($this->login($data)) {
@@ -722,8 +722,12 @@ class AuthComponent extends Object {
 		} elseif (is_array($user) && isset($user[$this->userModel])) {
 			$user = $user[$this->userModel];
 		}
-
+		$debug = false;
+		if ($debug = Configure::read('debug')) {
+			Configure::write('debug', 0);
+		}
 		if (is_array($user) && (isset($user[$this->fields['username']]) || isset($user[$this->userModel . '.' . $this->fields['username']]))) {
+
 			if (isset($user[$this->fields['username']]) && !empty($user[$this->fields['username']])  && !empty($user[$this->fields['password']])) {
 				if (trim($user[$this->fields['username']]) == '=' || trim($user[$this->fields['password']]) == '=') {
 					return false;
@@ -756,6 +760,9 @@ class AuthComponent extends Object {
 				return null;
 			}
 		}
+		if ($debug) {
+			Configure::write('debug', $debug);
+		}
 		if (isset($data) && !empty($data)) {
 			if (!empty($data[$this->userModel][$this->fields['password']])) {
 				unset($data[$this->userModel][$this->fields['password']]);
diff --git a/cake/tests/cases/libs/controller/components/auth.test.php b/cake/tests/cases/libs/controller/components/auth.test.php
index 1607cd179..b77771795 100644
--- a/cake/tests/cases/libs/controller/components/auth.test.php
+++ b/cake/tests/cases/libs/controller/components/auth.test.php
@@ -161,6 +161,34 @@ class AuthTest extends CakeTestCase {
 		$user = $this->Controller->Auth->user();
 		$this->assertEqual($user, array('AuthUser'=>array('id'=>1, 'username'=>'mariano', 'created'=> '2007-03-17 01:16:23', 'updated'=> date('Y-m-d H:i:s'))));
 		$this->Controller->Session->del('Auth');
+
+		$this->Controller->data['AuthUser']['username'] = 'blah';
+		$this->Controller->data['AuthUser']['password'] = '';
+
+		$this->Controller->Auth->startup($this->Controller);
+
+		$user = $this->Controller->Auth->user();
+		$this->assertFalse($user);
+		$this->Controller->Session->del('Auth');
+
+		$this->Controller->data['AuthUser']['username'] = 'now() or 1=1 --';
+		$this->Controller->data['AuthUser']['password'] = '';
+
+		$this->Controller->Auth->startup($this->Controller);
+
+		$user = $this->Controller->Auth->user();
+		$this->assertFalse($user);
+		$this->Controller->Session->del('Auth');
+
+		$this->Controller->data['AuthUser']['username'] = 'now() or 1=1 # something';
+		$this->Controller->data['AuthUser']['password'] = '';
+
+		$this->Controller->Auth->startup($this->Controller);
+
+		$user = $this->Controller->Auth->user();
+		$this->assertFalse($user);
+		$this->Controller->Session->del('Auth');
+
 	}
 
 	function testAuthorizeFalse() {