From b088daf045a19c818d427e28d752566f3e7044e8 Mon Sep 17 00:00:00 2001 From: mark_story Date: Thu, 30 Sep 2010 00:06:38 -0400 Subject: [PATCH] Adding tests for csrf feature separation. Removing serialize() calls as they didn't really add anything. --- cake/libs/controller/components/security.php | 8 +++--- .../controller/components/security.test.php | 26 ++++++++++++------- 2 files changed, 20 insertions(+), 14 deletions(-) diff --git a/cake/libs/controller/components/security.php b/cake/libs/controller/components/security.php index 90c3ccdc8..7e834a2c5 100644 --- a/cake/libs/controller/components/security.php +++ b/cake/libs/controller/components/security.php @@ -580,7 +580,7 @@ class SecurityComponent extends Component { $token = $data['_Token']['key']; if ($this->Session->check('_Token')) { - $tokenData = unserialize($this->Session->read('_Token')); + $tokenData = $this->Session->read('_Token'); if ($tokenData['expires'] < time() || $tokenData['key'] !== $token) { return false; @@ -651,7 +651,7 @@ class SecurityComponent extends Component { protected function _generateToken(&$controller) { if (isset($controller->params['requested']) && $controller->params['requested'] === 1) { if ($this->Session->check('_Token')) { - $tokenData = unserialize($this->Session->read('_Token')); + $tokenData = $this->Session->read('_Token'); $controller->params['_Token'] = $tokenData; } return false; @@ -671,7 +671,7 @@ class SecurityComponent extends Component { } if ($this->Session->check('_Token')) { - $tokenData = unserialize($this->Session->read('_Token')); + $tokenData = $this->Session->read('_Token'); $valid = ( isset($tokenData['expires']) && $tokenData['expires'] > time() && @@ -683,7 +683,7 @@ class SecurityComponent extends Component { } } $controller->request->params['_Token'] = $token; - $this->Session->write('_Token', serialize($token)); + $this->Session->write('_Token', $token); return true; } diff --git a/cake/tests/cases/libs/controller/components/security.test.php b/cake/tests/cases/libs/controller/components/security.test.php index b6b76cfbd..0efc169db 100644 --- a/cake/tests/cases/libs/controller/components/security.test.php +++ b/cake/tests/cases/libs/controller/components/security.test.php @@ -152,6 +152,7 @@ class SecurityComponentTest extends CakeTestCase { $this->Controller->Components->init($this->Controller); $this->Controller->Security = $this->Controller->TestSecurity; $this->Controller->Security->blackHoleCallback = 'fail'; + $this->Security = $this->Controller->Security; Configure::write('Security.salt', 'foo!'); } @@ -856,16 +857,6 @@ DIGEST; $this->assertTrue($result); } -/** - * testLoginValidation method - * - * @access public - * @return void - */ - function testLoginValidation() { - - } - /** * testValidateHasManyModel method * @@ -1238,4 +1229,19 @@ DIGEST; $this->Controller->Security->blackHole($this->Controller, 'auth'); $this->assertTrue($this->Controller->Security->Session->check('_Token'), '_Token was deleted by blackHole %s'); } + +/** + * test setting + * + * @return void + */ + function testCsrfSettings() { + $this->Security->validatePost = false; + $this->Security->enableCsrf = true; + $this->Security->csrfExpires = '+10 minutes'; + $this->Security->startup($this->Controller); + + $token = $this->Security->Session->read('_Token'); + $this->assertEquals(count($token['csrf']), 1, 'Missing the csrf token.'); + } }