Fix potential CSRF circumvention with custom HTTP methods (#76)

* Backported patch, fixing potential CSRF circumvention with custom HTTP methods.

Upstream: 0f818a23a8

* Fix unit tests for SecurityComponent

---------

Co-authored-by: Markus Bauer <markus.bauer@cispa.saarland>

lib/Cake/Controller/Component/SecurityComponent.php

@@ -227,7 +227,7 @@ class SecurityComponent extends Component {
 	public function startup(Controller $controller) {
 		$this->request = $controller->request;
 		$this->_action = $controller->request->params['action'];
-		$hasData = ($controller->request->data || $controller->request->is(array('put', 'post', 'delete', 'patch')));
+		$hasData = ($controller->request->data || !$controller->request->is(['head', 'get', 'options']));
 		try {
 			$this->_methodsRequired($controller);
 			$this->_secureRequired($controller);

lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php

@@ -162,6 +162,7 @@ class SecurityComponentTest extends CakeTestCase {
  */
 	public function setUp() : void {
 		parent::setUp();
+		$_SERVER['REQUEST_METHOD'] = 'GET';
 
 		$request = $this->getMock('CakeRequest', array('here'), array('posts/index', false));
 		$request->addParams(array('controller' => 'posts', 'action' => 'index'));
@@ -321,7 +322,7 @@ class SecurityComponentTest extends CakeTestCase {
  * @return void
  */
 	public function testRequireSecureSucceed() {
-		$_SERVER['REQUEST_METHOD'] = 'Secure';
+		$_SERVER['REQUEST_METHOD'] = 'GET';
 		$this->Controller->request['action'] = 'posted';
 		$_SERVER['HTTPS'] = 'on';
 		$this->Controller->Security->requireSecure('posted');