adulau/cakephp2-php8
1
0
Fork 0
mirror of https://github.com/kamilwylegala/cakephp2-php8.git synced 2024-11-15 03:18:26 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Creating correct CSRF tokens when using FormHelper::postLink within another form. Fixes #8387

Browse source
This commit is contained in:
Markus Bauer 2016-03-02 02:51:06 +01:00
parent bafcba3c71
commit 7df96b3912
1 changed files with 5 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
lib/Cake/View/Helper/FormHelper.php
View file

@ -611,11 +611,13 @@ class FormHelper extends AppHelper {
$tokenFields = array_merge($secureAttributes, array(
'value' => urlencode($fields . ':' . $locked),
'id' => 'TokenFields' . mt_rand(),
'secure' => static::SECURE_SKIP,
));
$out = $this->hidden('_Token.fields', $tokenFields);
$tokenUnlocked = array_merge($secureAttributes, array(
'value' => urlencode($unlocked),
'id' => 'TokenUnlocked' . mt_rand(),
'secure' => static::SECURE_SKIP,
));
$out .= $this->hidden('_Token.unlocked', $tokenUnlocked);
return $this->Html->useTag('hiddenblock', $out);
@ -1868,6 +1870,7 @@ class FormHelper extends AppHelper {
unset($options['target']);
}
$previousLastAction = $this->_lastAction;
$this->_lastAction($url);
$out = $this->Html->useTag('form', $formUrl, $formOptions);
@ -1890,6 +1893,8 @@ class FormHelper extends AppHelper {
if ($options['block']) {
$this->_View->append($options['block'], $out);
$out = '';
// Reset security-relevant fields for outer form
$this->_lastAction = $previousLastAction;
}
unset($options['block']);