adulau/cakephp2-php8
1
0
Fork 0
mirror of https://github.com/kamilwylegala/cakephp2-php8.git synced 2025-02-07 12:36:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Adding Html entity conversion to all urls generated by helpers, fixing potential for merged passedArgs to create xss vectors.

Browse source 
Adding integer cast in paginate() to page param. 
Tests added/updated.
Fixes #6134

git-svn-id: https://svn.cakephp.org/repo/branches/1.2.x.x@8061 3807eeeb-6ff5-0310-8944-8be069107fe0
This commit is contained in:
mark_story 2009-02-25 19:51:41 +00:00
parent 2849bb0a48
commit af021cb4b2
4 changed files with 22 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
cake/libs/controller/controller.php
View file

@ -1042,6 +1042,7 @@ class Controller extends Object {
} elseif (intval($page) < 1) { } elseif (intval($page) < 1) {
$options['page'] = $page = 1; $options['page'] = $page = 1;
} }
$page = $options['page'] = (integer)$page;
if (method_exists($object, 'paginate')) { if (method_exists($object, 'paginate')) {
$results = $object->paginate($conditions, $fields, $order, $limit, $page, $recursive, $extra); $results = $object->paginate($conditions, $fields, $order, $limit, $page, $recursive, $extra);

2
cake/libs/view/helper.php
View file

@ -175,7 +175,7 @@ class Helper extends Overloadable {
* @return string Full translated URL with base path. * @return string Full translated URL with base path.
*/ */
function url($url = null, $full = false) { function url($url = null, $full = false) {
return Router::url($url, array('full' => $full, 'escape' => true)); return h(Router::url($url, $full));
} }
/** /**
* Checks if a file exists when theme is used, if no file is found default location is returned * Checks if a file exists when theme is used, if no file is found default location is returned

8
cake/tests/cases/libs/controller/controller.test.php
View file

@ -503,10 +503,12 @@ class ControllerTest extends CakeTestCase {
$results = Set::extract($Controller->paginate('ControllerPost'), '{n}.ControllerPost.id'); $results = Set::extract($Controller->paginate('ControllerPost'), '{n}.ControllerPost.id');
$this->assertEqual($Controller->ControllerPost->lastQuery['order'][0], array('ControllerPost.author_id' => 'asc')); $this->assertEqual($Controller->ControllerPost->lastQuery['order'][0], array('ControllerPost.author_id' => 'asc'));
$this->assertEqual($results, array(1, 3, 2)); $this->assertEqual($results, array(1, 3, 2));
$Controller->passedArgs = array('page' => '" onclick="alert(\'xss\');">'); $Controller->passedArgs = array('page' => '1 " onclick="alert(\'xss\');">');
$Controller->paginate = array('limit' => 1);
$Controller->paginate('ControllerPost'); $Controller->paginate('ControllerPost');
$this->assertEqual($Controller->params['paging']['ControllerPost']['page'], 1, 'XSS exploit opened %s'); $this->assertIdentical($Controller->params['paging']['ControllerPost']['page'], 1, 'XSS exploit opened %s');
$this->assertIdentical($Controller->params['paging']['ControllerPost']['options']['page'], 1, 'XSS exploit opened %s');
} }
/** /**
* testPaginateExtraParams method * testPaginateExtraParams method

15
cake/tests/cases/libs/view/helper.test.php
View file

@ -347,6 +347,21 @@ class HelperTest extends CakeTestCase {
$result = $this->Helper->value('Post.2.created.year'); $result = $this->Helper->value('Post.2.created.year');
$this->assertEqual($result, '2008'); $this->assertEqual($result, '2008');
} }
/**
* Ensure HTML escaping of url params. So link addresses are valid and not exploited
*
* @return void
**/
function testUrlConversion() {
$result = $this->Helper->url('/controller/action/1');
$this->assertEqual($result, '/controller/action/1');
$result = $this->Helper->url('/controller/action/1?one=1&two=2');
$this->assertEqual($result, '/controller/action/1?one=1&amp;two=2');
$result = $this->Helper->url(array('controller' => 'posts', 'action' => 'index', 'page' => '1" onclick="alert(\'XSS\');"'));
$this->assertEqual($result, "/posts/index/page:1&quot; onclick=&quot;alert(&#039;XSS&#039;);&quot;");
}
/** /**
* testFieldsWithSameName method * testFieldsWithSameName method
* *