From 1117ad2f1ce7482bc7d1c19ee5055c5ee63567c9 Mon Sep 17 00:00:00 2001
From: mark_story <mark@mark-story.com>
Date: Sat, 29 Dec 2012 11:43:06 -0500
Subject: [PATCH] Blackhole requests when the action is the blackhole callback.

When a user requests the blackhole callback as an action we should
blackhole that request. The blackhole callback should not be URL
accessible.

Fixes #3496
---
 .../Controller/Component/SecurityComponent.php   |  9 ++++++---
 .../Component/SecurityComponentTest.php          | 16 ++++++++++++++++
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/lib/Cake/Controller/Component/SecurityComponent.php b/lib/Cake/Controller/Component/SecurityComponent.php
index 907b43a8f..f8fe0dfbb 100644
--- a/lib/Cake/Controller/Component/SecurityComponent.php
+++ b/lib/Cake/Controller/Component/SecurityComponent.php
@@ -218,6 +218,10 @@ class SecurityComponent extends Component {
 			$controller->request->params['requested'] != 1
 		);
 
+		if ($this->_action == $this->blackHoleCallback) {
+			return $this->blackhole($controller, 'auth');
+		}
+
 		if ($isPost && $isNotRequestAction && $this->validatePost) {
 			if ($this->_validatePost($controller) === false) {
 				return $this->blackHole($controller, 'auth');
@@ -309,11 +313,10 @@ class SecurityComponent extends Component {
  * @throws BadRequestException
  */
 	public function blackHole(Controller $controller, $error = '') {
-		if ($this->blackHoleCallback == null) {
+		if (!$this->blackHoleCallback) {
 			throw new BadRequestException(__d('cake_dev', 'The request has been black-holed'));
-		} else {
-			return $this->_callback($controller, $this->blackHoleCallback, array($error));
 		}
+		return $this->_callback($controller, $this->blackHoleCallback, array($error));
 	}
 
 /**
diff --git a/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php b/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php
index 84f78036b..1d1e7f852 100644
--- a/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php
+++ b/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php
@@ -194,6 +194,22 @@ class SecurityComponentTest extends CakeTestCase {
 		$this->Controller->Security->blackHole($this->Controller, 'csrf');
 	}
 
+/**
+ * Ensure that directly requesting the blackholeCallback as the controller
+ * action results in an exception.
+ *
+ * @return void
+ */
+	public function testExceptionWhenActionIsBlackholeCallback() {
+		$this->Controller->request->addParams(array(
+			'controller' => 'posts',
+			'action' => 'fail'
+		));
+		$this->assertFalse($this->Controller->failed);
+		$this->Controller->Security->startup($this->Controller);
+		$this->assertTrue($this->Controller->failed, 'Request was blackholed.');
+	}
+
 /**
  * test that initialize can set properties.
  *