mirror of
https://github.com/kamilwylegala/cakephp2-php8.git
synced 2024-11-25 16:27:20 +00:00
Fix potential CSRF circumvention with custom HTTP methods (#76)
* Backported patch, fixing potential CSRF circumvention with custom HTTP methods.
Upstream: 0f818a23a8
* Fix unit tests for SecurityComponent
---------
Co-authored-by: Markus Bauer <markus.bauer@cispa.saarland>
This commit is contained in:
parent
b918df8008
commit
c0fb45e79e
2 changed files with 3 additions and 2 deletions
|
@ -227,7 +227,7 @@ class SecurityComponent extends Component {
|
|||
public function startup(Controller $controller) {
|
||||
$this->request = $controller->request;
|
||||
$this->_action = $controller->request->params['action'];
|
||||
$hasData = ($controller->request->data || $controller->request->is(array('put', 'post', 'delete', 'patch')));
|
||||
$hasData = ($controller->request->data || !$controller->request->is(['head', 'get', 'options']));
|
||||
try {
|
||||
$this->_methodsRequired($controller);
|
||||
$this->_secureRequired($controller);
|
||||
|
|
|
@ -162,6 +162,7 @@ class SecurityComponentTest extends CakeTestCase {
|
|||
*/
|
||||
public function setUp() : void {
|
||||
parent::setUp();
|
||||
$_SERVER['REQUEST_METHOD'] = 'GET';
|
||||
|
||||
$request = $this->getMock('CakeRequest', array('here'), array('posts/index', false));
|
||||
$request->addParams(array('controller' => 'posts', 'action' => 'index'));
|
||||
|
@ -321,7 +322,7 @@ class SecurityComponentTest extends CakeTestCase {
|
|||
* @return void
|
||||
*/
|
||||
public function testRequireSecureSucceed() {
|
||||
$_SERVER['REQUEST_METHOD'] = 'Secure';
|
||||
$_SERVER['REQUEST_METHOD'] = 'GET';
|
||||
$this->Controller->request['action'] = 'posted';
|
||||
$_SERVER['HTTPS'] = 'on';
|
||||
$this->Controller->Security->requireSecure('posted');
|
||||
|
|
Loading…
Reference in a new issue