From fc304056a31088069157f2d28ac480c02e4b1d9f Mon Sep 17 00:00:00 2001
From: Mark Story <mark@mark-story.com>
Date: Tue, 26 Jan 2010 13:59:26 -0500
Subject: [PATCH] Removing Session deletion of nonce token on blackhole.  Fixes
 possible CSRF  risk from multiple submissions of the same invalid data.  Refs
 #214

---
 cake/libs/controller/components/security.php  |  2 --
 .../controller/components/security.test.php   | 20 ++++++++++++++++---
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/cake/libs/controller/components/security.php b/cake/libs/controller/components/security.php
index 52f0d3d9d..5aca459b6 100644
--- a/cake/libs/controller/components/security.php
+++ b/cake/libs/controller/components/security.php
@@ -381,8 +381,6 @@ class SecurityComponent extends Object {
  * @see SecurityComponent::$blackHoleCallback
  */
 	function blackHole(&$controller, $error = '') {
-		$this->Session->del('_Token');
-
 		if ($this->blackHoleCallback == null) {
 			$code = 404;
 			if ($error == 'login') {
diff --git a/cake/tests/cases/libs/controller/components/security.test.php b/cake/tests/cases/libs/controller/components/security.test.php
index 111aa0cb9..b1cf605f6 100644
--- a/cake/tests/cases/libs/controller/components/security.test.php
+++ b/cake/tests/cases/libs/controller/components/security.test.php
@@ -237,16 +237,16 @@ class SecurityComponentTest extends CakeTestCase {
 		$this->Controller->Security->startup($this->Controller);
 		$this->assertTrue($this->Controller->failed);
 
-		$this->Controller->Session->write('_Token', array('allowedControllers' => array()));
+		$this->Controller->Session->write('_Token', serialize(array('allowedControllers' => array())));
 		$this->Controller->data = array('username' => 'willy', 'password' => 'somePass');
 		$this->Controller->action = 'posted';
 		$this->Controller->Security->requireAuth('posted');
 		$this->Controller->Security->startup($this->Controller);
 		$this->assertTrue($this->Controller->failed);
 
-		$this->Controller->Session->write('_Token', array(
+		$this->Controller->Session->write('_Token', serialize(array(
 			'allowedControllers' => array('SecurityTest'), 'allowedActions' => array('posted2')
-		));
+		)));
 		$this->Controller->data = array('username' => 'willy', 'password' => 'somePass');
 		$this->Controller->action = 'posted';
 		$this->Controller->Security->requireAuth('posted');
@@ -1145,5 +1145,19 @@ DIGEST;
 		$this->Controller->Security->startup($this->Controller);
 		$this->assertEqual($this->Controller->params['_Token']['key'], $key);
 	}
+
+/**
+ * test that blackhole doesn't delete the _Token session key so repeat data submissions
+ * stay blackholed.
+ *
+ * @link http://cakephp.lighthouseapp.com/projects/42648/tickets/214
+ * @return void
+ */
+	function testBlackHoleNotDeletingSessionInformation() {
+		$this->Controller->Security->startup($this->Controller);
+
+		$this->Controller->Security->blackHole($this->Controller, 'auth');
+		$this->assertTrue($this->Controller->Security->Session->check('_Token'), '_Token was deleted by blackHole %s');
+	}
 }
 ?>
\ No newline at end of file