mirror of
https://github.com/kamilwylegala/cakephp2-php8.git
synced 2025-01-19 11:06:15 +00:00
Merge remote branch 'origin/2.0' into feature/2.0/pdo
This commit is contained in:
José Lorenzo Rodríguez
commit
d9222cf90a
3 changed files with 80 additions and 13 deletions
|
|
@ -175,13 +175,15 @@ class RequestHandlerComponent extends Component {
|
|||
if (!class_exists('Xml')) {
|
||||
App::import('Core', 'Xml');
|
||||
}
|
||||
$xml = Xml::build(trim(file_get_contents('php://input')));
|
||||
try {
|
||||
$xml = Xml::build(trim(file_get_contents('php://input')));
|
||||
|
||||
if (isset($xml->data)) {
|
||||
$controller->data = Xml::toArray($xml->data);
|
||||
} else {
|
||||
$controller->data = Xml::toArray($xml);
|
||||
}
|
||||
if (isset($xml->data)) {
|
||||
$controller->data = Xml::toArray($xml->data);
|
||||
} else {
|
||||
$controller->data = Xml::toArray($xml);
|
||||
}
|
||||
} catch (Exception $e) {}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -172,6 +172,16 @@ class SecurityComponent extends Component {
|
|||
*/
|
||||
public $csrfExpires = '+30 minutes';
|
||||
|
||||
/**
|
||||
* Controls whether or not CSRF tokens are use and burn. Set to false to not generate
|
||||
* new tokens on each request. One token will be reused until it expires. This reduces
|
||||
* the chances of users getting invalid requests because of token consumption.
|
||||
* It has the side effect of making CSRF less secure, as tokens are reusable.
|
||||
*
|
||||
* @var boolean
|
||||
*/
|
||||
public $csrfUseOnce = true;
|
||||
|
||||
/**
|
||||
* Other components used by the Security component
|
||||
*
|
||||
|
|
@ -677,17 +687,16 @@ class SecurityComponent extends Component {
|
|||
'csrfTokens' => array()
|
||||
);
|
||||
|
||||
if ($this->csrfCheck) {
|
||||
$token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
|
||||
}
|
||||
|
||||
$tokenData = array();
|
||||
if ($this->Session->check('_Token')) {
|
||||
$tokenData = $this->Session->read('_Token');
|
||||
if (!empty($tokenData['csrfTokens'])) {
|
||||
$token['csrfTokens'] += $tokenData['csrfTokens'];
|
||||
$token['csrfTokens'] = $this->_expireTokens($token['csrfTokens']);
|
||||
$token['csrfTokens'] = $this->_expireTokens($tokenData['csrfTokens']);
|
||||
}
|
||||
}
|
||||
if ($this->csrfCheck && ($this->csrfUseOnce || empty($tokenData['csrfTokens'])) ) {
|
||||
$token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
|
||||
}
|
||||
$controller->request->params['_Token'] = $token;
|
||||
$this->Session->write('_Token', $token);
|
||||
return true;
|
||||
|
|
@ -705,7 +714,9 @@ class SecurityComponent extends Component {
|
|||
$token = $this->Session->read('_Token');
|
||||
$requestToken = $controller->request->data('_Token.key');
|
||||
if (isset($token['csrfTokens'][$requestToken]) && $token['csrfTokens'][$requestToken] >= time()) {
|
||||
$this->Session->delete('_Token.csrfTokens.' . $requestToken);
|
||||
if ($this->csrfUseOnce) {
|
||||
$this->Session->delete('_Token.csrfTokens.' . $requestToken);
|
||||
}
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
|
|
|
|||
|
|
@ -1407,4 +1407,58 @@ DIGEST;
|
|||
$this->Security->startup($this->Controller);
|
||||
$this->assertTrue($this->Controller->failed, 'fail() was not called.');
|
||||
}
|
||||
|
||||
/**
|
||||
* test that csrfUseOnce = false works.
|
||||
*
|
||||
* @return void
|
||||
*/
|
||||
function testCsrfNotUseOnce() {
|
||||
$this->Security->validatePost = false;
|
||||
$this->Security->csrfCheck = true;
|
||||
$this->Security->csrfUseOnce = false;
|
||||
$this->Security->csrfExpires = '+10 minutes';
|
||||
|
||||
// Generate one token
|
||||
$this->Security->startup($this->Controller);
|
||||
$token = $this->Security->Session->read('_Token.csrfTokens');
|
||||
$this->assertEquals(1, count($token), 'Should only be one token.');
|
||||
|
||||
$this->Security->startup($this->Controller);
|
||||
$token2 = $this->Security->Session->read('_Token.csrfTokens');
|
||||
$this->assertEquals(1, count($token2), 'Should only be one token.');
|
||||
$this->assertEquals($token, $token2, 'Tokens should not be different.');
|
||||
}
|
||||
|
||||
/**
|
||||
* ensure that longer session tokens are not consumed
|
||||
*
|
||||
* @return void
|
||||
*/
|
||||
function testCsrfNotUseOnceValidationLeavingToken() {
|
||||
$this->Security->validatePost = false;
|
||||
$this->Security->csrfCheck = true;
|
||||
$this->Security->csrfUseOnce = false;
|
||||
$this->Security->csrfExpires = '+10 minutes';
|
||||
|
||||
$this->Security->Session->write('_Token.csrfTokens', array('nonce1' => strtotime('+10 minutes')));
|
||||
|
||||
$this->Controller->request = $this->getMock('CakeRequest', array('is'));
|
||||
$this->Controller->request->expects($this->once())->method('is')
|
||||
->with('post')
|
||||
->will($this->returnValue(true));
|
||||
|
||||
$this->Controller->request->params['action'] = 'index';
|
||||
$this->Controller->request->data = array(
|
||||
'_Token' => array(
|
||||
'key' => 'nonce1'
|
||||
),
|
||||
'Post' => array(
|
||||
'title' => 'Woot'
|
||||
)
|
||||
);
|
||||
$this->Security->startup($this->Controller);
|
||||
$token = $this->Security->Session->read('_Token');
|
||||
$this->assertTrue(isset($token['csrfTokens']['nonce1']), 'Token was consumed');
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue