adulau/cakephp2-php8
1
0
Fork 0
mirror of https://github.com/kamilwylegala/cakephp2-php8.git synced 2024-11-15 11:28:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Ensuring that the auth component never redirects to an external link.

Browse source 
Tests updated to match code changes and tests added for external referer examples


git-svn-id: https://svn.cakephp.org/repo/branches/1.2.x.x@7874 3807eeeb-6ff5-0310-8944-8be069107fe0
This commit is contained in:
AD7six 2008-11-14 09:07:22 +00:00
parent f06401c563
commit b43128c809
2 changed files with 27 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
cake/libs/controller/components/auth.php
View file

@ -309,7 +309,7 @@ class AuthComponent extends Object {
if ($loginAction == $url) { if ($loginAction == $url) {
if (empty($controller->data) || !isset($controller->data[$this->userModel])) { if (empty($controller->data) || !isset($controller->data[$this->userModel])) {
if (!$this->Session->check('Auth.redirect') && env('HTTP_REFERER')) { if (!$this->Session->check('Auth.redirect') && env('HTTP_REFERER')) {
$this->Session->write('Auth.redirect', $controller->referer()); $this->Session->write('Auth.redirect', $controller->referer(null, true));
} }
return false; return false;
} }

28
cake/tests/cases/libs/controller/components/auth.test.php
View file

@ -717,7 +717,7 @@ class AuthTest extends CakeTestCase {
$this->Controller->Session->del('Auth'); $this->Controller->Session->del('Auth');
$_SERVER['HTTP_REFERER'] = '/admin/'; $_SERVER['HTTP_REFERER'] = Router::url('/admin/', true);
$this->Controller->Session->write('Auth', array( $this->Controller->Session->write('Auth', array(
'AuthUser' => array('id'=>'1', 'username'=>'nate')) 'AuthUser' => array('id'=>'1', 'username'=>'nate'))
@ -728,7 +728,7 @@ class AuthTest extends CakeTestCase {
$this->Controller->Auth->userModel = 'AuthUser'; $this->Controller->Auth->userModel = 'AuthUser';
$this->Controller->Auth->loginRedirect = false; $this->Controller->Auth->loginRedirect = false;
$this->Controller->Auth->startup($this->Controller); $this->Controller->Auth->startup($this->Controller);
$expected = Router::normalize('admin'); $expected = Router::normalize('/admin');
$this->assertEqual($expected, $this->Controller->Auth->redirect()); $this->assertEqual($expected, $this->Controller->Auth->redirect());
//Ticket #4750 //Ticket #4750
@ -754,6 +754,30 @@ class AuthTest extends CakeTestCase {
$expected = Router::normalize('posts/view/1'); $expected = Router::normalize('posts/view/1');
$this->assertEqual($expected, $this->Controller->Session->read('Auth.redirect')); $this->assertEqual($expected, $this->Controller->Session->read('Auth.redirect'));
//external authed action
$_SERVER['HTTP_REFERER'] = 'http://webmail.example.com/view/message';
$this->Controller->Session->del('Auth');
$url = '/posts/edit/1';
$this->Controller->params = Router::parse($url);
$this->Controller->Auth->initialize($this->Controller);
$this->Controller->Auth->loginAction = array('controller' => 'AuthTest', 'action' => 'login');
$this->Controller->Auth->userModel = 'AuthUser';
$this->Controller->Auth->startup($this->Controller);
$expected = Router::normalize('/posts/edit/1');
$this->assertEqual($expected, $this->Controller->Session->read('Auth.redirect'));
//external direct login link
$_SERVER['HTTP_REFERER'] = 'http://webmail.example.com/view/message';
$this->Controller->Session->del('Auth');
$url = '/AuthTest/login';
$this->Controller->params = Router::parse($url);
$this->Controller->Auth->initialize($this->Controller);
$this->Controller->Auth->loginAction = array('controller' => 'AuthTest', 'action' => 'login');
$this->Controller->Auth->userModel = 'AuthUser';
$this->Controller->Auth->startup($this->Controller);
$expected = Router::normalize('/');
$this->assertEqual($expected, $this->Controller->Session->read('Auth.redirect'));
$_SERVER['HTTP_REFERER'] = $backup; $_SERVER['HTTP_REFERER'] = $backup;
$this->Controller->Session->del('Auth'); $this->Controller->Session->del('Auth');
} }