adulau/cakephp2-php8
1
0
Fork 0
mirror of https://github.com/kamilwylegala/cakephp2-php8.git synced 2024-11-15 03:18:26 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fixing issue where changing the case for an action in the url would allow the action in the AuthComponent making it accessible to not-logged in users

Browse source
This commit is contained in:
Jose Lorenzo Rodriguez 2011-11-28 00:52:47 -04:30
parent 2bffd4c26d
commit f6534d2962
2 changed files with 8 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
lib/Cake/Controller/Component/AuthComponent.php
View file

@ -268,8 +268,8 @@ class AuthComponent extends Component {
return true;
}
$methods = array_flip($controller->methods);
$action = $controller->request->params['action'];
$methods = array_flip(array_map('strtolower', $controller->methods));
$action = strtolower($controller->request->params['action']);
$isMissingAction = (
$controller->scaffold === false &&
@ -296,7 +296,7 @@ class AuthComponent extends Component {
$allowedActions = $this->allowedActions;
$isAllowed = (
$this->allowedActions == array('*') ||
in_array($action, $allowedActions)
in_array($action, array_map('strtolower', $allowedActions))
);
if ($loginAction != $url && $isAllowed) {

5
lib/Cake/Test/Case/Controller/Component/AuthComponentTest.php
View file

@ -671,6 +671,11 @@ class AuthComponentTest extends CakeTestCase {
$this->Controller->request->query['url'] = Router::normalize($url);
$this->assertFalse($this->Controller->Auth->startup($this->Controller));
$url = '/auth_test/CamelCase';
$this->Controller->request->addParams(Router::parse($url));
$this->Controller->request->query['url'] = Router::normalize($url);
$this->assertFalse($this->Controller->Auth->startup($this->Controller));
}
/**