From c327bdc4bd309ce07fe2c20a2a9123f2165cae76 Mon Sep 17 00:00:00 2001 From: mark_story Date: Sat, 27 Apr 2013 13:29:29 -0400 Subject: [PATCH 1/3] Enforce model aliases when generating order by clauses. Invalid SQL could be created by sorting on an invalid alias, with a field that exists on the model. Fixes #3797 --- .../Component/PaginatorComponent.php | 3 ++- .../Component/PaginatorComponentTest.php | 25 ++++++++++++++++--- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/lib/Cake/Controller/Component/PaginatorComponent.php b/lib/Cake/Controller/Component/PaginatorComponent.php index c9e817920..c02f4f69e 100644 --- a/lib/Cake/Controller/Component/PaginatorComponent.php +++ b/lib/Cake/Controller/Component/PaginatorComponent.php @@ -372,6 +372,7 @@ class PaginatorComponent extends Component { $field = key($options['order']); if (!in_array($field, $whitelist)) { $options['order'] = null; + return $options; } } @@ -385,7 +386,7 @@ class PaginatorComponent extends Component { } if ($object->hasField($field)) { - $order[$alias . '.' . $field] = $value; + $order[$object->alias . '.' . $field] = $value; } elseif ($object->hasField($key, true)) { $order[$field] = $value; } elseif (isset($object->{$alias}) && $object->{$alias}->hasField($field, true)) { diff --git a/lib/Cake/Test/Case/Controller/Component/PaginatorComponentTest.php b/lib/Cake/Test/Case/Controller/Component/PaginatorComponentTest.php index 39a97f6e1..56959e9a2 100644 --- a/lib/Cake/Test/Case/Controller/Component/PaginatorComponentTest.php +++ b/lib/Cake/Test/Case/Controller/Component/PaginatorComponentTest.php @@ -969,10 +969,12 @@ class PaginatorComponentTest extends CakeTestCase { $model->alias = 'model'; $model->expects($this->any())->method('hasField')->will($this->returnValue(true)); - $options = array('order' => array( - 'author_id' => 'asc', - 'title' => 'asc' - )); + $options = array( + 'order' => array( + 'author_id' => 'asc', + 'title' => 'asc' + ) + ); $result = $this->Paginator->validateSort($model, $options); $expected = array( 'model.author_id' => 'asc', @@ -1002,6 +1004,21 @@ class PaginatorComponentTest extends CakeTestCase { $this->assertEquals($options['order'], $result['order']); } +/** + * Test sorting with incorrect aliases on valid fields. + * + * @return void + */ + public function testValidateSortInvalidAlias() { + $model = $this->getMock('Model'); + $model->alias = 'Model'; + $model->expects($this->any())->method('hasField')->will($this->returnValue(true)); + + $options = array('sort' => 'Derp.id'); + $result = $this->Paginator->validateSort($model, $options); + $this->assertEquals(array('Model.id' => 'asc'), $result['order']); + } + /** * test that maxLimit is respected * From 65b1a94e637c1760fe3b351fde16458219d822b0 Mon Sep 17 00:00:00 2001 From: mark_story Date: Sat, 27 Apr 2013 23:00:50 -0400 Subject: [PATCH 2/3] Simplify how fullBase is calculated. Using FULL_BASE_URL fixes URL generation when URL rewriting is disabled. Fixes #3777 --- lib/Cake/Test/Case/View/HelperTest.php | 15 +++++++++++++++ lib/Cake/View/Helper.php | 7 +------ 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/lib/Cake/Test/Case/View/HelperTest.php b/lib/Cake/Test/Case/View/HelperTest.php index 0ac7d9dc6..ea92488dc 100644 --- a/lib/Cake/Test/Case/View/HelperTest.php +++ b/lib/Cake/Test/Case/View/HelperTest.php @@ -658,6 +658,21 @@ class HelperTest extends CakeTestCase { $this->assertEquals('foo.jpg?one=two&three=four', $result); } +/** + * Test assetUrl with no rewriting. + * + * @return void + */ + public function testAssetUrlNoRewrite() { + $this->Helper->request->addPaths(array( + 'base' => '/cake_dev/index.php', + 'webroot' => '/cake_dev/app/webroot/', + 'here' => '/cake_dev/index.php/tasks', + )); + $result = $this->Helper->assetUrl('img/cake.icon.png', array('fullBase' => true)); + $this->assertEquals('http://localhost/cake_dev/app/webroot/img/cake.icon.png', $result); + } + /** * Test assetUrl with plugins. * diff --git a/lib/Cake/View/Helper.php b/lib/Cake/View/Helper.php index d662d8336..2f7b79595 100644 --- a/lib/Cake/View/Helper.php +++ b/lib/Cake/View/Helper.php @@ -328,12 +328,7 @@ class Helper extends Object { $path = $this->_encodeUrl($this->assetTimestamp($this->webroot($path))); if (!empty($options['fullBase'])) { - $base = $this->url('/', true); - $len = strlen($this->request->webroot); - if ($len) { - $base = substr($base, 0, -$len); - } - $path = $base . $path; + $path = rtrim(FULL_BASE_URL, '/') . '/' . ltrim($path, '/'); } return $path; } From e4b276c55fe23e821d3a273454243e68aaa9b6c5 Mon Sep 17 00:00:00 2001 From: mark_story Date: Sun, 28 Apr 2013 16:30:59 -0400 Subject: [PATCH 3/3] Update version number to 2.3.4 --- lib/Cake/VERSION.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/Cake/VERSION.txt b/lib/Cake/VERSION.txt index a35672d14..a568deb1c 100644 --- a/lib/Cake/VERSION.txt +++ b/lib/Cake/VERSION.txt @@ -17,4 +17,4 @@ // @license MIT License (http://www.opensource.org/licenses/mit-license.php) // +--------------------------------------------------------------------------------------------+ // //////////////////////////////////////////////////////////////////////////////////////////////////// -2.3.3 +2.3.4