adulau/cakephp2-php8
1
0
Fork 0
mirror of https://github.com/kamilwylegala/cakephp2-php8.git synced 2024-11-15 11:28:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Adding csrfCheck related properties.

Browse source 
nonces are now being populated into the session.
This commit is contained in:
mark_story 2010-09-30 00:18:25 -04:00
parent b088daf045
commit f5ed91137a
2 changed files with 26 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
cake/libs/controller/components/security.php
View file

@ -154,6 +154,24 @@ class SecurityComponent extends Component {
*/
public $validatePost = true;
/**
* Whether to use CSRF protected forms. Set to false to disable CSRF protection on forms.
*
* @var boolean
* @see http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
* @see SecurityComponent::$csrfExpires
*/
public $csrfCheck = true;
/**
* The duration from when a CSRF token is created that it will expire on.
* Each form/page request will generate a new token that can only be submitted once unless
* it expires. Can be any value compatible with strtotime()
*
* @var string
*/
public $csrfExpires = '+30 minutes';
/**
* Other components used by the Security component
*
@ -649,10 +667,10 @@ class SecurityComponent extends Component {
* @return bool Success
*/
protected function _generateToken(&$controller) {
if (isset($controller->params['requested']) && $controller->params['requested'] === 1) {
if (isset($controller->request->params['requested']) && $controller->request->params['requested'] === 1) {
if ($this->Session->check('_Token')) {
$tokenData = $this->Session->read('_Token');
$controller->params['_Token'] = $tokenData;
$controller->request->params['_Token'] = $tokenData;
}
return false;
}
@ -666,8 +684,8 @@ class SecurityComponent extends Component {
'disabledFields' => $this->disabledFields
);
if (!isset($controller->request->data)) {
$controller->request->data = array();
if ($this->csrfCheck) {
$token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
}
if ($this->Session->check('_Token')) {

6
cake/tests/cases/libs/controller/components/security.test.php
View file

@ -1237,11 +1237,13 @@ DIGEST;
*/
function testCsrfSettings() {
$this->Security->validatePost = false;
$this->Security->enableCsrf = true;
$this->Security->csrfCheck = true;
$this->Security->csrfExpires = '+10 minutes';
$this->Security->startup($this->Controller);
$token = $this->Security->Session->read('_Token');
$this->assertEquals(count($token['csrf']), 1, 'Missing the csrf token.');
$this->assertEquals(count($token['csrfTokens']), 1, 'Missing the csrf token.');
$this->assertEquals(strtotime('+10 minutes'), current($token['csrfTokens']), 'Token expiry does not match');
}
}