mirror of
https://github.com/kamilwylegala/cakephp2-php8.git
synced 2024-11-15 03:18:26 +00:00
Adding csrfCheck related properties.
nonces are now being populated into the session.
This commit is contained in:
parent
b088daf045
commit
f5ed91137a
2 changed files with 26 additions and 6 deletions
|
@ -154,6 +154,24 @@ class SecurityComponent extends Component {
|
|||
*/
|
||||
public $validatePost = true;
|
||||
|
||||
/**
|
||||
* Whether to use CSRF protected forms. Set to false to disable CSRF protection on forms.
|
||||
*
|
||||
* @var boolean
|
||||
* @see http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
|
||||
* @see SecurityComponent::$csrfExpires
|
||||
*/
|
||||
public $csrfCheck = true;
|
||||
|
||||
/**
|
||||
* The duration from when a CSRF token is created that it will expire on.
|
||||
* Each form/page request will generate a new token that can only be submitted once unless
|
||||
* it expires. Can be any value compatible with strtotime()
|
||||
*
|
||||
* @var string
|
||||
*/
|
||||
public $csrfExpires = '+30 minutes';
|
||||
|
||||
/**
|
||||
* Other components used by the Security component
|
||||
*
|
||||
|
@ -649,10 +667,10 @@ class SecurityComponent extends Component {
|
|||
* @return bool Success
|
||||
*/
|
||||
protected function _generateToken(&$controller) {
|
||||
if (isset($controller->params['requested']) && $controller->params['requested'] === 1) {
|
||||
if (isset($controller->request->params['requested']) && $controller->request->params['requested'] === 1) {
|
||||
if ($this->Session->check('_Token')) {
|
||||
$tokenData = $this->Session->read('_Token');
|
||||
$controller->params['_Token'] = $tokenData;
|
||||
$controller->request->params['_Token'] = $tokenData;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
@ -666,8 +684,8 @@ class SecurityComponent extends Component {
|
|||
'disabledFields' => $this->disabledFields
|
||||
);
|
||||
|
||||
if (!isset($controller->request->data)) {
|
||||
$controller->request->data = array();
|
||||
if ($this->csrfCheck) {
|
||||
$token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
|
||||
}
|
||||
|
||||
if ($this->Session->check('_Token')) {
|
||||
|
|
|
@ -1237,11 +1237,13 @@ DIGEST;
|
|||
*/
|
||||
function testCsrfSettings() {
|
||||
$this->Security->validatePost = false;
|
||||
$this->Security->enableCsrf = true;
|
||||
$this->Security->csrfCheck = true;
|
||||
$this->Security->csrfExpires = '+10 minutes';
|
||||
$this->Security->startup($this->Controller);
|
||||
|
||||
$token = $this->Security->Session->read('_Token');
|
||||
$this->assertEquals(count($token['csrf']), 1, 'Missing the csrf token.');
|
||||
$this->assertEquals(count($token['csrfTokens']), 1, 'Missing the csrf token.');
|
||||
$this->assertEquals(strtotime('+10 minutes'), current($token['csrfTokens']), 'Token expiry does not match');
|
||||
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue