adulau/cakephp2-php8
1
0
Fork 0
mirror of https://github.com/kamilwylegala/cakephp2-php8.git synced 2025-01-31 17:16:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge remote branch 'origin/2.0' into feature/2.0/pdo

Browse source
This commit is contained in:
José Lorenzo Rodríguez 2010-10-26 20:42:30 -04:30
commit d9222cf90a
3 changed files with 80 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
cake/libs/controller/components/request_handler.php
View file

@ -175,13 +175,15 @@ class RequestHandlerComponent extends Component {
if (!class_exists('Xml')) { if (!class_exists('Xml')) {
App::import('Core', 'Xml'); App::import('Core', 'Xml');
} }
$xml = Xml::build(trim(file_get_contents('php://input'))); try {
$xml = Xml::build(trim(file_get_contents('php://input')));
if (isset($xml->data)) { if (isset($xml->data)) {
$controller->data = Xml::toArray($xml->data); $controller->data = Xml::toArray($xml->data);
} else { } else {
$controller->data = Xml::toArray($xml); $controller->data = Xml::toArray($xml);
} }
} catch (Exception $e) {}
} }
} }

25
cake/libs/controller/components/security.php
View file

@ -172,6 +172,16 @@ class SecurityComponent extends Component {
*/ */
public $csrfExpires = '+30 minutes'; public $csrfExpires = '+30 minutes';
/**
* Controls whether or not CSRF tokens are use and burn. Set to false to not generate
* new tokens on each request. One token will be reused until it expires. This reduces
* the chances of users getting invalid requests because of token consumption.
* It has the side effect of making CSRF less secure, as tokens are reusable.
*
* @var boolean
*/
public $csrfUseOnce = true;
/** /**
* Other components used by the Security component * Other components used by the Security component
* *
@ -677,17 +687,16 @@ class SecurityComponent extends Component {
'csrfTokens' => array() 'csrfTokens' => array()
); );
if ($this->csrfCheck) { $tokenData = array();
$token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
}
if ($this->Session->check('_Token')) { if ($this->Session->check('_Token')) {
$tokenData = $this->Session->read('_Token'); $tokenData = $this->Session->read('_Token');
if (!empty($tokenData['csrfTokens'])) { if (!empty($tokenData['csrfTokens'])) {
$token['csrfTokens'] += $tokenData['csrfTokens']; $token['csrfTokens'] = $this->_expireTokens($tokenData['csrfTokens']);
$token['csrfTokens'] = $this->_expireTokens($token['csrfTokens']);
} }
} }
if ($this->csrfCheck && ($this->csrfUseOnce || empty($tokenData['csrfTokens'])) ) {
$token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
}
$controller->request->params['_Token'] = $token; $controller->request->params['_Token'] = $token;
$this->Session->write('_Token', $token); $this->Session->write('_Token', $token);
return true; return true;
@ -705,7 +714,9 @@ class SecurityComponent extends Component {
$token = $this->Session->read('_Token'); $token = $this->Session->read('_Token');
$requestToken = $controller->request->data('_Token.key'); $requestToken = $controller->request->data('_Token.key');
if (isset($token['csrfTokens'][$requestToken]) && $token['csrfTokens'][$requestToken] >= time()) { if (isset($token['csrfTokens'][$requestToken]) && $token['csrfTokens'][$requestToken] >= time()) {
$this->Session->delete('_Token.csrfTokens.' . $requestToken); if ($this->csrfUseOnce) {
$this->Session->delete('_Token.csrfTokens.' . $requestToken);
}
return true; return true;
} }
return false; return false;

54
cake/tests/cases/libs/controller/components/security.test.php
View file

@ -1407,4 +1407,58 @@ DIGEST;
$this->Security->startup($this->Controller); $this->Security->startup($this->Controller);
$this->assertTrue($this->Controller->failed, 'fail() was not called.'); $this->assertTrue($this->Controller->failed, 'fail() was not called.');
} }
/**
* test that csrfUseOnce = false works.
*
* @return void
*/
function testCsrfNotUseOnce() {
$this->Security->validatePost = false;
$this->Security->csrfCheck = true;
$this->Security->csrfUseOnce = false;
$this->Security->csrfExpires = '+10 minutes';
// Generate one token
$this->Security->startup($this->Controller);
$token = $this->Security->Session->read('_Token.csrfTokens');
$this->assertEquals(1, count($token), 'Should only be one token.');
$this->Security->startup($this->Controller);
$token2 = $this->Security->Session->read('_Token.csrfTokens');
$this->assertEquals(1, count($token2), 'Should only be one token.');
$this->assertEquals($token, $token2, 'Tokens should not be different.');
}
/**
* ensure that longer session tokens are not consumed
*
* @return void
*/
function testCsrfNotUseOnceValidationLeavingToken() {
$this->Security->validatePost = false;
$this->Security->csrfCheck = true;
$this->Security->csrfUseOnce = false;
$this->Security->csrfExpires = '+10 minutes';
$this->Security->Session->write('_Token.csrfTokens', array('nonce1' => strtotime('+10 minutes')));
$this->Controller->request = $this->getMock('CakeRequest', array('is'));
$this->Controller->request->expects($this->once())->method('is')
->with('post')
->will($this->returnValue(true));
$this->Controller->request->params['action'] = 'index';
$this->Controller->request->data = array(
'_Token' => array(
'key' => 'nonce1'
),
'Post' => array(
'title' => 'Woot'
)
);
$this->Security->startup($this->Controller);
$token = $this->Security->Session->read('_Token');
$this->assertTrue(isset($token['csrfTokens']['nonce1']), 'Token was consumed');
}
} }