From c0fb45e79e17734b8db0245e06e83eca815b25ae Mon Sep 17 00:00:00 2001
From: Markus Bauer <MarkusBauer@users.noreply.github.com>
Date: Wed, 24 Jul 2024 18:13:57 +0200
Subject: [PATCH] Fix potential CSRF circumvention with custom HTTP methods
 (#76)

* Backported patch, fixing potential CSRF circumvention with custom HTTP methods.

Upstream: https://github.com/cakephp/cakephp/commit/0f818a23a876c01429196bf7623e1e94a50230f0

* Fix unit tests for SecurityComponent

---------

Co-authored-by: Markus Bauer <markus.bauer@cispa.saarland>
---
 lib/Cake/Controller/Component/SecurityComponent.php            | 2 +-
 .../Test/Case/Controller/Component/SecurityComponentTest.php   | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/Cake/Controller/Component/SecurityComponent.php b/lib/Cake/Controller/Component/SecurityComponent.php
index 308f27c73..9b3134e47 100644
--- a/lib/Cake/Controller/Component/SecurityComponent.php
+++ b/lib/Cake/Controller/Component/SecurityComponent.php
@@ -227,7 +227,7 @@ class SecurityComponent extends Component {
 	public function startup(Controller $controller) {
 		$this->request = $controller->request;
 		$this->_action = $controller->request->params['action'];
-		$hasData = ($controller->request->data || $controller->request->is(array('put', 'post', 'delete', 'patch')));
+		$hasData = ($controller->request->data || !$controller->request->is(['head', 'get', 'options']));
 		try {
 			$this->_methodsRequired($controller);
 			$this->_secureRequired($controller);
diff --git a/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php b/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php
index 0fba140b2..e49e65c0a 100644
--- a/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php
+++ b/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php
@@ -162,6 +162,7 @@ class SecurityComponentTest extends CakeTestCase {
  */
 	public function setUp() : void {
 		parent::setUp();
+		$_SERVER['REQUEST_METHOD'] = 'GET';
 
 		$request = $this->getMock('CakeRequest', array('here'), array('posts/index', false));
 		$request->addParams(array('controller' => 'posts', 'action' => 'index'));
@@ -321,7 +322,7 @@ class SecurityComponentTest extends CakeTestCase {
  * @return void
  */
 	public function testRequireSecureSucceed() {
-		$_SERVER['REQUEST_METHOD'] = 'Secure';
+		$_SERVER['REQUEST_METHOD'] = 'GET';
 		$this->Controller->request['action'] = 'posted';
 		$_SERVER['HTTPS'] = 'on';
 		$this->Controller->Security->requireSecure('posted');