Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Forbid direct prefix access with mixed casing.
Changing the casing up should not allow prefix method access.
  • Loading branch information
markstory committed Aug 6, 2015
1 parent 01b6374 commit 056f24a
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 2 deletions.
4 changes: 2 additions & 2 deletions lib/Cake/Controller/Controller.php
Expand Up @@ -514,12 +514,12 @@ protected function _isPrivateAction(ReflectionMethod $method, CakeRequest $reque
!$method->isPublic() ||
!in_array($method->name, $this->methods)
);
$prefixes = Router::prefixes();
$prefixes = array_map('strtolower', Router::prefixes());

if (!$privateAction && !empty($prefixes)) {
if (empty($request->params['prefix']) && strpos($request->params['action'], '_') > 0) {
list($prefix) = explode('_', $request->params['action']);
$privateAction = in_array($prefix, $prefixes);
$privateAction = in_array(strtolower($prefix), $prefixes);
}
}
return $privateAction;
Expand Down
19 changes: 19 additions & 0 deletions lib/Cake/Test/Case/Controller/ControllerTest.php
Expand Up @@ -1447,6 +1447,25 @@ public function testInvokeActionPrefixProtection() {
$Controller->invokeAction($url);
}

/**
* test invoking controller methods.
*
* @expectedException PrivateActionException
* @expectedExceptionMessage Private Action TestController::Admin_add() is not directly accessible.
* @return void
*/
public function testInvokeActionPrefixProtectionCasing() {
Router::reload();
Router::connect('/admin/:controller/:action/*', array('prefix' => 'admin'));

$url = new CakeRequest('test/Admin_add/');
$url->addParams(array('controller' => 'test_controller', 'action' => 'Admin_add'));
$response = $this->getMock('CakeResponse');

$Controller = new TestController($url, $response);
$Controller->invokeAction($url);
}

/**
* test invoking controller methods.
*
Expand Down

0 comments on commit 056f24a

Please sign in to comment.