mirror of
https://github.com/kamilwylegala/cakephp2-php8.git
synced 2024-11-26 00:37:18 +00:00
Fix potential CSRF circumvention with custom HTTP methods (#76)
* Backported patch, fixing potential CSRF circumvention with custom HTTP methods.
Upstream: 0f818a23a8
* Fix unit tests for SecurityComponent
---------
Co-authored-by: Markus Bauer <markus.bauer@cispa.saarland>
This commit is contained in:
parent
b918df8008
commit
c0fb45e79e
2 changed files with 3 additions and 2 deletions
|
@ -227,7 +227,7 @@ class SecurityComponent extends Component {
|
||||||
public function startup(Controller $controller) {
|
public function startup(Controller $controller) {
|
||||||
$this->request = $controller->request;
|
$this->request = $controller->request;
|
||||||
$this->_action = $controller->request->params['action'];
|
$this->_action = $controller->request->params['action'];
|
||||||
$hasData = ($controller->request->data || $controller->request->is(array('put', 'post', 'delete', 'patch')));
|
$hasData = ($controller->request->data || !$controller->request->is(['head', 'get', 'options']));
|
||||||
try {
|
try {
|
||||||
$this->_methodsRequired($controller);
|
$this->_methodsRequired($controller);
|
||||||
$this->_secureRequired($controller);
|
$this->_secureRequired($controller);
|
||||||
|
|
|
@ -162,6 +162,7 @@ class SecurityComponentTest extends CakeTestCase {
|
||||||
*/
|
*/
|
||||||
public function setUp() : void {
|
public function setUp() : void {
|
||||||
parent::setUp();
|
parent::setUp();
|
||||||
|
$_SERVER['REQUEST_METHOD'] = 'GET';
|
||||||
|
|
||||||
$request = $this->getMock('CakeRequest', array('here'), array('posts/index', false));
|
$request = $this->getMock('CakeRequest', array('here'), array('posts/index', false));
|
||||||
$request->addParams(array('controller' => 'posts', 'action' => 'index'));
|
$request->addParams(array('controller' => 'posts', 'action' => 'index'));
|
||||||
|
@ -321,7 +322,7 @@ class SecurityComponentTest extends CakeTestCase {
|
||||||
* @return void
|
* @return void
|
||||||
*/
|
*/
|
||||||
public function testRequireSecureSucceed() {
|
public function testRequireSecureSucceed() {
|
||||||
$_SERVER['REQUEST_METHOD'] = 'Secure';
|
$_SERVER['REQUEST_METHOD'] = 'GET';
|
||||||
$this->Controller->request['action'] = 'posted';
|
$this->Controller->request['action'] = 'posted';
|
||||||
$_SERVER['HTTPS'] = 'on';
|
$_SERVER['HTTPS'] = 'on';
|
||||||
$this->Controller->Security->requireSecure('posted');
|
$this->Controller->Security->requireSecure('posted');
|
||||||
|
|
Loading…
Reference in a new issue