merging 1.2

cake/VERSION.txt

@@ -6,4 +6,4 @@
 // +---------------------------------------------------------------------------------------------------+ //
 ///////////////////////////////////////////////////////////////////////////////////////////////////////////
 
-1.2.2.8120
+1.2.3.8166

cake/config/config.php

@@ -22,5 +22,5 @@
  * @lastmodified  $Date$
  * @license       http://www.opensource.org/licenses/mit-license.php The MIT License
  */
-return $config['Cake.version'] = '1.2.2.8120';
+return $config['Cake.version'] = '1.2.3.8166';
 ?>

cake/dispatcher.php

@@ -344,7 +344,8 @@ class Dispatcher extends Object {
 			return $this->base = $base;
 		}
 		if (!$baseUrl) {
-			$base = dirname(env('PHP_SELF'));
+			$replace = array('<', '>', '*', '\'', '"');
+			$base = str_replace($replace, '', dirname(env('PHP_SELF')));
 
 			if ($webroot === 'webroot' && $webroot === basename($base)) {
 				$base = dirname($base);

cake/libs/model/model.php

@@ -1010,7 +1010,10 @@ class Model extends Overloadable {
 		}
 
 		if ($id !== null && $id !== false) {
-			$this->data = $this->find(array($this->alias . '.' . $this->primaryKey => $id), $fields);
+			$this->data = $this->find('first', array(
+				'conditions' => array($this->alias . '.' . $this->primaryKey => $id),
+				'fields' => $fields
+			));
 			return $this->data;
 		} else {
 			return false;

cake/tests/cases/dispatcher.test.php

@@ -1898,6 +1898,23 @@ class DispatcherTest extends CakeTestCase {
 
 		unset($_POST['_method']);
 	}
+
+/**
+ * Tests that invalid characters cannot be injected into the application base path.
+ *
+ * @return void
+ */
+	function testBasePathInjection() {
+		$self = $_SERVER['PHP_SELF'];
+		$_SERVER['PHP_SELF'] = urldecode(
+			"/index.php/%22%3E%3Ch1%20onclick=%22alert('xss');%22%3Eheya%3C/h1%3E"
+		);
+
+		$dispatcher =& new Dispatcher();
+		$result = $dispatcher->baseUrl();
+		$expected = '/index.php/h1 onclick=alert(xss);heya';
+		$this->assertEqual($result, $expected);
+	}
 /**
  * testEnvironmentDetection method
  *

cake/tests/cases/libs/router.test.php

@@ -658,14 +658,23 @@ class RouterTest extends CakeTestCase {
 
 		Router::reload();
 		Router::setRequestInfo(array(
-				array('plugin' => 'shows', 'controller' => 'show_tickets', 'action' => 'admin_edit', 'pass' =>
-						array(0 => '6'), 'prefix' => 'admin', 'admin' => true, 'form' => array(), 'url' =>
-						array('url' => 'admin/shows/show_tickets/edit/6')),
-				array('plugin' => NULL, 'controller' => NULL, 'action' => NULL, 'base' => '', 'here' => '/admin/shows/show_tickets/edit/6', 'webroot' => '/')));
+			array(
+				'plugin' => 'shows', 'controller' => 'show_tickets', 'action' => 'admin_edit',
+				'pass' => array('6'), 'prefix' => 'admin', 'admin' => true, 'form' => array(),
+				'url' => array('url' => 'admin/shows/show_tickets/edit/6')
+			),
+			array(
+				'plugin' => null, 'controller' => null, 'action' => null, 'base' => '',
+				'here' => '/admin/shows/show_tickets/edit/6', 'webroot' => '/'
+			)
+		));
 
 		Router::parse('/');
 
-		$result = Router::url(array('plugin' => 'shows', 'controller' => 'show_tickets', 'action' => 'edit', 'id' => '6', 'admin' => true, 'prefix' => 'admin', ));
+		$result = Router::url(array(
+			'plugin' => 'shows', 'controller' => 'show_tickets', 'action' => 'edit', 'id' => '6',
+			'admin' => true, 'prefix' => 'admin'
+		));
 		$expected = '/admin/shows/show_tickets/edit/6';
 		$this->assertEqual($result, $expected);
 	}