adulau/cakephp2-php8
1
0
Fork 0
mirror of https://github.com/kamilwylegala/cakephp2-php8.git synced 2025-09-05 02:52:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Use the form action URL in generated form hashes.

Browse source 
By including the URL in generated hash for secured forms we prevent
a class of abuse where a user uses one secured form to post into a
controller action the form was not originally intended for. These cross
action requests could potentially violate developer's mental model of
how SecurityComponent works and produce unexpected/undesirable outcomes.

Thanks to Kurita Takashi for pointing this issue out, and suggesting
a fix.
This commit is contained in:
mark_story 2014-04-25 22:05:58 -04:00
parent 4a24d6ea31
commit f23d811ff5
4 changed files with 61 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

8
lib/Cake/Controller/Component/SecurityComponent.php
View file

@ -510,7 +510,13 @@ class SecurityComponent extends Component {
$fieldList += $lockedFields;
$unlocked = implode('|', $unlocked);
$check = Security::hash(serialize($fieldList) . $unlocked . Configure::read('Security.salt'), 'sha1');
$hashParts = array(
$this->request->here(),
serialize($fieldList),
$unlocked,
Configure::read('Security.salt')
);
$check = Security::hash(implode('', $hashParts), 'sha1');
return ($token === $check);
}