Fix potential CSRF circumvention with custom HTTP methods (#76)

* Backported patch, fixing potential CSRF circumvention with custom HTTP methods.

Upstream: 0f818a23a8

* Fix unit tests for SecurityComponent

---------

Co-authored-by: Markus Bauer <markus.bauer@cispa.saarland>
This commit is contained in:
Markus Bauer 2024-07-24 18:13:57 +02:00 committed by GitHub
parent b918df8008
commit c0fb45e79e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 3 additions and 2 deletions

View file

@ -227,7 +227,7 @@ class SecurityComponent extends Component {
public function startup(Controller $controller) { public function startup(Controller $controller) {
$this->request = $controller->request; $this->request = $controller->request;
$this->_action = $controller->request->params['action']; $this->_action = $controller->request->params['action'];
$hasData = ($controller->request->data || $controller->request->is(array('put', 'post', 'delete', 'patch'))); $hasData = ($controller->request->data || !$controller->request->is(['head', 'get', 'options']));
try { try {
$this->_methodsRequired($controller); $this->_methodsRequired($controller);
$this->_secureRequired($controller); $this->_secureRequired($controller);

View file

@ -162,6 +162,7 @@ class SecurityComponentTest extends CakeTestCase {
*/ */
public function setUp() : void { public function setUp() : void {
parent::setUp(); parent::setUp();
$_SERVER['REQUEST_METHOD'] = 'GET';
$request = $this->getMock('CakeRequest', array('here'), array('posts/index', false)); $request = $this->getMock('CakeRequest', array('here'), array('posts/index', false));
$request->addParams(array('controller' => 'posts', 'action' => 'index')); $request->addParams(array('controller' => 'posts', 'action' => 'index'));
@ -321,7 +322,7 @@ class SecurityComponentTest extends CakeTestCase {
* @return void * @return void
*/ */
public function testRequireSecureSucceed() { public function testRequireSecureSucceed() {
$_SERVER['REQUEST_METHOD'] = 'Secure'; $_SERVER['REQUEST_METHOD'] = 'GET';
$this->Controller->request['action'] = 'posted'; $this->Controller->request['action'] = 'posted';
$_SERVER['HTTPS'] = 'on'; $_SERVER['HTTPS'] = 'on';
$this->Controller->Security->requireSecure('posted'); $this->Controller->Security->requireSecure('posted');