Markus Bauer
2220f35b1b
Remove constructs that deprecate with PHP 8.4 ( #75 )
...
* Remove constructs that deprecate with PHP 8.4
* Fix SecurityComponent typing
---------
Co-authored-by: Markus Bauer <markus.bauer@cispa.saarland>
2024-07-24 21:55:01 +02:00
Markus Bauer
c0fb45e79e
Fix potential CSRF circumvention with custom HTTP methods ( #76 )
...
* Backported patch, fixing potential CSRF circumvention with custom HTTP methods.
Upstream: 0f818a23a8
* Fix unit tests for SecurityComponent
---------
Co-authored-by: Markus Bauer <markus.bauer@cispa.saarland>
2024-07-24 18:13:57 +02:00
mark_story
2032fef772
Merge branch '2.x' into 2.next
2017-06-26 21:51:41 -04:00
Marc Würth
da8414e13b
Use HTTPS for the opensource.org MIT license URL
2017-06-11 00:23:22 +02:00
Marc Würth
04efc7ba50
Use HTTPS for the book.cakephp.org URL
2017-06-11 00:15:36 +02:00
Marc Würth
10b89b51a9
Use HTTPS for the cakefoundation.org URL
2017-06-11 00:10:59 +02:00
Marc Würth
17314baa15
Use HTTPS for the cakephp.org URL
2017-06-10 23:40:28 +02:00
chinpei215
a97bd234ee
Fix _validatePost returns true when empty form is submitted
...
Backport of #10625
2017-05-06 21:59:29 +09:00
chinpei215
d7ae1c92e7
Backport test cases and make sure those pass
2016-10-16 22:04:24 +09:00
chinpei215
0d96b9ff64
Backport changes in SecurityComponent and FormHelper
2016-10-16 21:55:05 +09:00
mark_story
7df99fff1f
Backport Security::randomBytes() to 2.x
...
I decided to leave the warning in. People who can't upgrade their
applications should at least be aware of the risks they are taking.
I'm flexible if people are strongly opposed to a warning, but I feel
that these kinds of warnings can be supressed in production if they
really are in a jam and don't care.
Refs #8282
2016-02-22 00:14:44 -05:00
Marc Würth
780b836d57
Deprecate SecurityComponent::requireAuth & SecurityComponent::requireAuth()
...
Backport of https://github.com/cakephp/cakephp/pull/8191
2016-02-10 13:37:10 +01:00
mark_story
4b8d628a2e
Backport SecurityComponent fixes from #8071 to 2.x
...
If the request manages to have data set outside of post/put we should
still validate the request body. This expands SecurityComponent to cover
PATCH and DELETE methods, as well as request methods that should be
safe, but somehow end up not safe.
2016-01-20 21:34:58 -05:00
David Yell
4af2e5489b
Update deprecated method in docblocks
...
So that the docblock doesn't point you to another deprecated method which then points you to the actual method.
2015-07-17 16:14:06 +02:00
euromark
52ecccb1a2
App::uses and usage replacements for String => CakeText.
2015-01-05 01:00:57 +01:00
mark_story
4d6611b328
Merge branch 'master' into 2.6
...
Conflicts:
lib/Cake/VERSION.txt
2014-12-17 21:38:32 -05:00
euromark
e1c128bb99
Consolidate with conditions sniff.
2014-12-09 03:17:35 +01:00
euromark
41c646c5a1
Simplification of return types. No need to return more mixed than necessary.
2014-11-08 20:07:47 +01:00
euromark
768f2c809c
Correct doc block return types.
2014-11-05 13:03:27 +01:00
Marc Würth
67ba9cb406
Update all @deprecated annotations
...
to adhere to the @deprecated <version> <description> format, where version and description are mandatory.
2014-09-02 17:03:22 +02:00
mark_story
b3dfad614a
Correct pattern matching.
...
Instead of 10 digits, it should limit at 10 groups.
Refs 1988e89e73
2014-07-06 09:42:20 -04:00
Schlaefer
9fa7afa354
fixes #3887 CSRF reusable token expires
2014-07-06 10:39:00 +02:00
mark_story
1988e89e73
Add an upper bound to the POST data SecurityComponent will consider.
...
'Kurita Takashi' has let us know that the previous patterns could be
abused by an evil doer. One could potentially send a very large deeply
nested POST data structure. Matching that structure could overflow the
PCRE limits causing a segmentation fault. Adding an upper bound will
solve the problem and I doubt anyone is doing POST data structures with
more than 10 levels of nesting.
2014-07-03 22:02:00 -04:00
euromark
974ca851c2
Correct doc blocks according to cs guidelines.
...
Remove superfluous empty lines.
2014-07-03 15:36:42 +02:00
euromark
bd074e7dc7
Stricter string comparisons.
2014-04-29 12:05:47 +02:00
mark_story
f23d811ff5
Use the form action URL in generated form hashes.
...
By including the URL in generated hash for secured forms we prevent
a class of abuse where a user uses one secured form to post into a
controller action the form was not originally intended for. These cross
action requests could potentially violate developer's mental model of
how SecurityComponent works and produce unexpected/undesirable outcomes.
Thanks to Kurita Takashi for pointing this issue out, and suggesting
a fix.
2014-04-25 22:05:58 -04:00
Marc Würth
7cfa0116f4
Removed "PHP 5" from file header DocBlocks
...
This statement does not serve a purpose anymore.
In a long forgotten world it indicated the main version number of PHP which the code in the file was compatible to.
http://pear.php.net/manual/en/standards.sample.php
But since PHP 5.1 and later this is only marginally true.
Thus I propose to remove it from CakePHP.
2013-11-13 22:58:39 +01:00
euromark
ee0ed3a43a
coding standards
2013-10-13 18:18:24 +02:00
euromark
a796b26f13
fix renderLayout and update deprecated and outdated code
2013-09-13 00:09:31 +02:00
Simon Males
0adef209e3
Camel case SecurityComponent::blackHole() method call
2013-08-02 12:07:33 +08:00
Marc Würth
4c9f0414cb
Improved the DocBlocks and other code cleanup
...
Fixed @license tag, url comes first
Whitespace and other minor code cleanup
Added some docblocks
2013-05-31 00:11:19 +02:00
mark_story
fee6172958
Update docs for SecurityComponent::requireAuth()
2013-02-09 14:06:24 -05:00
mark_story
e4110b1e01
Deprecate features in SecurityComponent
...
These features are available in CakeRequest now. The CakeRequest
version is improved as it raises more appropriate exceptions.
2013-02-09 13:57:55 -05:00
Graham Weldon
66d856d883
Added extra line for referencing license file for copyright
2013-02-08 21:22:51 +09:00
Graham Weldon
7b860debe4
This commit is dedicated to Mark Story, who has put in much dedicated time and effort into CakePHP over the years.
...
I just wanted to ruin his evening, because this change needs to be merged into CakePHP 3.0.
2013-02-08 20:59:49 +09:00
mark_story
4c98e39c1f
Merge branch 'master' into 2.3
...
Conflicts:
lib/Cake/Controller/Component/SecurityComponent.php
2012-12-29 11:44:59 -05:00
mark_story
1117ad2f1c
Blackhole requests when the action is the blackhole callback.
...
When a user requests the blackhole callback as an action we should
blackhole that request. The blackhole callback should not be URL
accessible.
Fixes #3496
2012-12-29 11:43:06 -05:00
euromark
b811afbc44
double spaces to single ones
2012-12-22 23:48:15 +01:00
dogmatic69
641ba9f3e6
Merge branch '2.3' into type-checks
...
Conflicts:
lib/Cake/Error/ExceptionRenderer.php
lib/Cake/Routing/Dispatcher.php
2012-10-24 19:03:44 +01:00
mark_story
f457f07b5c
Force field validation to use sha1
...
When using blowfish as your application's hashing strategy, form field
validation would fail horribly. Forcing sha1 fixes this and restores
behavior consistent with 2.2.x
Fixes #3280
2012-10-18 21:26:26 -04:00
Adam Taylor
4090c2e932
Remove trailing whitespace from comments
...
See http://groups.google.com/d/topic/cakephp-core/fuHTYMKVJno/discussion
2012-10-15 18:19:37 -06:00
dogmatic69
408e619c9f
Merge branch '2.3' into type-checks
...
Conflicts:
lib/Cake/Console/Command/Task/ModelTask.php
lib/Cake/Controller/Component/RequestHandlerComponent.php
lib/Cake/Model/Datasource/Database/Mysql.php
lib/Cake/Utility/CakeNumber.php
2012-10-01 02:08:00 +01:00
euromark
213d4caa85
coding standards
2012-09-20 01:50:15 +02:00
dogmatic69
cf8fccae96
converting $foo == null / $foo == false to !$foo
2012-09-14 18:26:30 +01:00
dogmatic69
c7faad9f78
You cant pass func_get_args() in PHP < 5.3
2012-09-14 15:29:48 +01:00
dogmatic69
bf18fc4dda
cleaning up the code, removing extra variables set and un-needed else
2012-09-13 22:10:57 +01:00
Tigran Gabrielyan
617d470427
Renamed disabledActions to unlockedActions
2012-08-03 11:01:19 -07:00
Tigran Gabrielyan
df8ec17626
Added disabledActions
feature to SecurityComponent
2012-08-02 18:27:52 -07:00
mark_story
3c6b50953b
Merge branch 'master' into 2.3
...
Conflicts:
lib/Cake/VERSION.txt
2012-07-18 22:12:51 -04:00
euromark
3945c0e6a8
rtim files
2012-07-18 03:55:29 +02:00