Commit graph

52 commits

Author SHA1 Message Date
mark_story
4b8d628a2e Backport SecurityComponent fixes from #8071 to 2.x
If the request manages to have data set outside of post/put we should
still validate the request body. This expands SecurityComponent to cover
PATCH and DELETE methods, as well as request methods that should be
safe, but somehow end up not safe.
2016-01-20 21:34:58 -05:00
Schlaefer
1e961a8aac increases time window in CSRF token expiry tests to 2 seconds
travis-cs failed with 1 second margin
2014-07-06 13:54:24 +02:00
Schlaefer
9fa7afa354 fixes #3887 CSRF reusable token expires 2014-07-06 10:39:00 +02:00
euromark
974ca851c2 Correct doc blocks according to cs guidelines.
Remove superfluous empty lines.
2014-07-03 15:36:42 +02:00
mark_story
1d1a2f859c Fix coding standards error. 2014-04-28 20:56:06 -04:00
mark_story
a28158d614 Add additional test for f23d811ff5
I neglected to put a negative test to ensure validatePost fails when the
URL differs.
2014-04-26 10:23:27 -04:00
ADmad
68572d8046 Cannot use php 5.4+ array syntax for 2.x. 2014-04-26 17:30:31 +05:30
mark_story
f23d811ff5 Use the form action URL in generated form hashes.
By including the URL in generated hash for secured forms we prevent
a class of abuse where a user uses one secured form to post into a
controller action the form was not originally intended for. These cross
action requests could potentially violate developer's mental model of
how SecurityComponent works and produce unexpected/undesirable outcomes.

Thanks to Kurita Takashi for pointing this issue out, and suggesting
a fix.
2014-04-25 22:05:58 -04:00
euromark
0d09a54033 more missing doc block tags added 2014-04-02 03:02:37 +02:00
mark_story
a5d50da040 Remove dead and unused code. 2014-02-11 16:38:24 -05:00
Marc Würth
7cfa0116f4 Removed "PHP 5" from file header DocBlocks
This statement does not serve a purpose anymore.
In a long forgotten world it indicated the main version number of PHP which the code in the file was compatible to.
http://pear.php.net/manual/en/standards.sample.php
But since PHP 5.1 and later this is only marginally true.
Thus I propose to remove it from CakePHP.
2013-11-13 22:58:39 +01:00
euromark
a796b26f13 fix renderLayout and update deprecated and outdated code 2013-09-13 00:09:31 +02:00
Marc Würth
2609016dfe Changed http links to lighthouse, groups.google and github to https
Because they get redirected anyway and we should follow good practices.
Also in many cases similar URLs were already using https
2013-06-25 22:58:30 +02:00
euromark
394bf1054d remove name attribute where not necessary, clean up doc blocks 2013-06-08 04:29:08 +02:00
Marc Würth
4c9f0414cb Improved the DocBlocks and other code cleanup
Fixed @license tag, url comes first
Whitespace and other minor code cleanup
Added some docblocks
2013-05-31 00:11:19 +02:00
Graham Weldon
66d856d883 Added extra line for referencing license file for copyright 2013-02-08 21:22:51 +09:00
Graham Weldon
7b860debe4 This commit is dedicated to Mark Story, who has put in much dedicated time and effort into CakePHP over the years.
I just wanted to ruin his evening, because this change needs to be merged into CakePHP 3.0.
2013-02-08 20:59:49 +09:00
Ceeram
16be9d4990 remove unused local vars 2013-01-23 17:22:06 +01:00
mark_story
4c98e39c1f Merge branch 'master' into 2.3
Conflicts:
	lib/Cake/Controller/Component/SecurityComponent.php
2012-12-29 11:44:59 -05:00
mark_story
1117ad2f1c Blackhole requests when the action is the blackhole callback.
When a user requests the blackhole callback as an action we should
blackhole that request. The blackhole callback should not be URL
accessible.

Fixes #3496
2012-12-29 11:43:06 -05:00
Tigran Gabrielyan
617d470427 Renamed disabledActions to unlockedActions 2012-08-03 11:01:19 -07:00
Tigran Gabrielyan
df8ec17626 Added disabledActions feature to SecurityComponent 2012-08-02 18:27:52 -07:00
Rachman Chavik
22373868bb if blackHoleCallback is set, requests _must_ get blackholed 2012-07-03 19:27:02 +07:00
Jelle Henkens
f7ce5262b7 Updating mixed @param documentation to seperate list of accepted types 2012-05-21 21:55:10 +01:00
Kyle Robinson Young
b8488b8dfe Update 1.x @link in docblocks 2012-04-26 19:49:18 -07:00
Kyle Robinson Young
90e7afbdc7 Correct parameter order of assertEquals and assertNotEquals 2012-03-22 23:37:12 -07:00
Juan Basso
3b1bd90ad6 Updated copyright to 2012. 2012-03-12 22:46:07 -04:00
mark_story
edb582944c Fix coding standards in Test/Case/Controller 2012-03-11 22:20:25 -04:00
mark_story
7665f369fa Merge branch '2.1-type-hinting-corrections' into 2.1 2012-02-25 20:07:18 -05:00
euromark
22452f61f8 type hinting controllers and views 2012-02-25 19:46:06 -05:00
Kyle Robinson Young
4176e59e52 Typo fixes in tests 2012-02-23 15:29:53 -08:00
Majna
d41e5621b7 Fix missing and invalid assertions in tests.
Remove unused variables and dead code.
2012-02-16 19:28:21 +01:00
Ceeram
f8fef907c8 avoid failing tests by 1 second off 2012-02-10 18:29:25 +01:00
mark_story
df5d9ac3d1 Merge branch '2.0' into 2.1
Conflicts:
	lib/Cake/Model/Model.php
	lib/Cake/Test/Case/Routing/RouterTest.php
2012-01-20 20:28:15 -05:00
mark_story
1693478889 Adding test for #GH424 2012-01-19 21:50:51 -05:00
mark_story
9296f770d5 Adding SecurityComponent::$csrfLimit
This property allows you to control the number of tokens
that will be kept active.  Its possible to make really large
CSRF collection sizes.  Capping the number of tokens allows developers
to better control session sizes.
2011-12-03 20:13:17 -05:00
mark_story
e421b3bc8f Adding SecurityComponent::generateToken()
This method allows end developers to add the csrf tokens
manually, if they aren't added automatically.

Tokens are cheap to generate, simplifying the logic
makes things a bit easier to understand.
2011-12-03 20:13:03 -05:00
Kyle Robinson Young
98f03dc6df Replacing test case compatibility functions 2011-11-16 21:07:08 -05:00
Gun.io Whitespace Robot
4742168253 Remove whitespace [Gun.io WhitespaceBot] 2011-10-28 18:25:08 -04:00
Mark Story
54e1de9070 Adding visibility keywords to code that came from
a 1.3 merge.
2011-08-16 22:40:38 -04:00
mark_story
d93c8cb200 Merge branch '1.3' into merger
Conflicts:
	cake/libs/controller/components/security.php
	cake/libs/view/pages/home.ctp
	cake/libs/view/view.php
	lib/Cake/Cache/Engine/FileEngine.php
	lib/Cake/Config/config.php
	lib/Cake/Model/Datasource/Database/Postgres.php
	lib/Cake/Test/Case/Utility/SanitizeTest.php
	lib/Cake/Test/Case/Utility/SetTest.php
	lib/Cake/Test/Case/View/Helper/CacheHelperTest.php
	lib/Cake/Test/Case/View/Helper/FormHelperTest.php
	lib/Cake/VERSION.txt
	lib/Cake/View/Helper/CacheHelper.php
2011-08-14 14:39:49 -04:00
mark_story
3014d3fb84 Fixing issues with CSRF token failure and requestAction.
Fixes #1900
2011-08-12 20:38:24 -04:00
Jose Lorenzo Rodriguez
cfd2d9e00b Updating all @package annotations in doc blocks 2011-07-26 01:46:14 -04:30
Mark Story
72ca89412a Fixing failing test, because I forgot to update it earlier. 2011-06-19 22:42:25 -07:00
mark_story
c136349919 Updating SecurityComponent to use unlocked instead of disabled. 2011-06-14 22:01:59 -04:00
mark_story
338957936b Adding test cases for disableFields being part of the POST data. 2011-06-14 21:50:45 -04:00
mark_story
046ddceb9a Updating SecurityComponent tests to include the disabled field. 2011-06-14 21:50:45 -04:00
Juan Basso
192812ee7f Updating the copyright to 2011. 2011-05-30 22:32:43 -04:00
mark_story
69c43a5762 Fixing issue where SecurityComponent::csrfUseOnce = false
caused forms that weren't the first to fail.
Fixes #1745
2011-05-30 21:49:18 -04:00
Renan Gonçalves
438050dcaa Adding 'public' visibility to all public methods. 2011-05-30 22:02:32 +02:00