Re-removing the Auth vulnerability re-introduced in [6593]

git-svn-id: https://svn.cakephp.org/repo/branches/1.2.x.x@6595 3807eeeb-6ff5-0310-8944-8be069107fe0
2025-01-18 18:46:17 +00:00 · 2008-03-20 19:18:52 +00:00 · 2008-03-20 19:18:52 +00:00 · 819cd1d667
commit 819cd1d667
parent d60191a1f6
2 changed files with 42 additions and 9 deletions
--- a/cake/libs/controller/components/auth.php
+++ b/cake/libs/controller/components/auth.php
@ -722,10 +722,7 @@ class AuthComponent extends Object {
 		} elseif (is_array($user) && isset($user[$this->userModel])) {
 			$user = $user[$this->userModel];
 		}
-		$debug = false;
+
 		if ($debug = Configure::read('debug')) {
 			Configure::write('debug', 0);
 		}
 		if (is_array($user) && (isset($user[$this->fields['username']]) || isset($user[$this->userModel . '.' . $this->fields['username']]))) {
 			if (isset($user[$this->fields['username']]) && !empty($user[$this->fields['username']])  && !empty($user[$this->fields['password']])) {
@ -741,8 +738,8 @@ class AuthComponent extends Object {
 					return false;
 				}
 				$find = array(
-					$this->fields['username'] => $user[$this->userModel . '.' . $this->fields['username']],
+					$this->fields['username'] => '= ' . $user[$this->userModel . '.' . $this->fields['username']],
-					$this->fields['password'] => $user[$this->userModel . '.' . $this->fields['password']]
+					$this->fields['password'] => '= ' . $user[$this->userModel . '.' . $this->fields['password']]
 				);
 			} else {
 				return false;
@ -760,9 +757,7 @@ class AuthComponent extends Object {
 				return null;
 			}
 		}
-		if ($debug) {
+
 			Configure::write('debug', $debug);
 		}
 		if (isset($data) && !empty($data)) {
 			if (!empty($data[$this->userModel][$this->fields['password']])) {
 				unset($data[$this->userModel][$this->fields['password']]);
--- a/cake/tests/cases/libs/controller/components/auth.test.php
+++ b/cake/tests/cases/libs/controller/components/auth.test.php
@ -377,6 +377,44 @@ class AuthTest extends CakeTestCase {
 		$this->Controller->Session->del('Auth');
 	}
 	function testInjection() {
 		$this->AuthUser =& new AuthUser();
 		Configure::write('debug', 1);
 		$this->AuthUser->id = 2;
 		$this->AuthUser->saveField('password', Security::hash(Configure::read('Security.salt') . 'cake'));
 		$this->Controller->data['AuthUser']['username'] = 'nate';
 		$this->Controller->data['AuthUser']['password'] = 'cake';
 		$this->Controller->params['url']['url'] = 'auth_test/login';
 		$this->Controller->Auth->initialize($this->Controller);
 		$this->Controller->Auth->loginAction = 'auth_test/login';
 		$this->Controller->Auth->userModel = 'AuthUser';
 		$this->Controller->Auth->startup($this->Controller);
 		$this->assertTrue(is_array($this->Controller->Auth->user()));
 		$this->Controller->Session->del($this->Controller->Auth->sessionKey);
 		$this->Controller->data['AuthUser']['username'] = 'nate';
 		$this->Controller->data['AuthUser']['password'] = 'cake1';
 		$this->Controller->params['url']['url'] = 'auth_test/login';
 		$this->Controller->Auth->initialize($this->Controller);
 		$this->Controller->Auth->loginAction = 'auth_test/login';
 		$this->Controller->Auth->userModel = 'AuthUser';
 		$this->Controller->Auth->startup($this->Controller);
 		$this->assertTrue(is_null($this->Controller->Auth->user()));
 		$this->Controller->Session->del($this->Controller->Auth->sessionKey);
 		$this->Controller->data['AuthUser']['username'] = '> n';
 		$this->Controller->data['AuthUser']['password'] = 'cake';
 		$this->Controller->Auth->initialize($this->Controller);
 		$this->Controller->Auth->startup($this->Controller);
 		$this->assertTrue(is_null($this->Controller->Auth->user()));
 	}
 	function tearDown() {
 		unset($this->Controller, $this->AuthUser);
 	}