Skip to content

Commit

Permalink
Port FormHelper fixes in #8388 to 3.x
Browse files Browse the repository at this point in the history 
The issue with FormHelper::postLink() being used inside of forms also
exists in 3.x

Refs #8387
  • Loading branch information
@markstory
markstory committed Apr 3, 2016
1 parent b60944b commit 15e9858
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 4 deletions.
16 changes: 12 additions & 4 deletions src/View/Helper/FormHelper.php
View file
Expand Up @@ -552,18 +552,20 @@ public function end(array $secureAttributes = [])
* generating the hash, else $this->fields is being used.
* @param array $secureAttributes will be passed as HTML attributes into the hidden
* input elements generated for the Security Component.
* @return string|null A hidden input field with a security hash
* @return string A hidden input field with a security hash, or empty string when
* secured forms are not in use.
*/
public function secure(array $fields = [], array $secureAttributes = [])
{
if (empty($this->request['_Token'])) {
return null;
return '';
}
$debugSecurity = Configure::read('debug');
if (isset($secureAttributes['debugSecurity'])) {
$debugSecurity = $debugSecurity && $secureAttributes['debugSecurity'];
unset($secureAttributes['debugSecurity']);
}
$secureAttributes['secure'] = static::SECURE_SKIP;

$tokenData = $this->_buildFieldToken(
$this->_lastAction,
Expand Down Expand Up @@ -1678,7 +1680,9 @@ public function postLink($title, $url = null, array $options = [])
}
$templater = $this->templater();

$restoreAction = $this->_lastAction;
$this->_lastAction($url);

$action = $templater->formatAttributes([
'action' => $this->Url->build($url),
'escape' => false
Expand All @@ -1687,19 +1691,23 @@ public function postLink($title, $url = null, array $options = [])
$out = $this->formatTemplate('formStart', [
'attrs' => $templater->formatAttributes($formOptions) . $action
]);
$out .= $this->hidden('_method', ['value' => $requestMethod]);
$out .= $this->hidden('_method', [
'value' => $requestMethod,
'secure' => static::SECURE_SKIP
]);
$out .= $this->_csrfField();

$fields = [];
if (isset($options['data']) && is_array($options['data'])) {
foreach (Hash::flatten($options['data']) as $key => $value) {
$fields[$key] = $value;
$out .= $this->hidden($key, ['value' => $value]);
$out .= $this->hidden($key, ['value' => $value, 'secure' => static::SECURE_SKIP]);
}
unset($options['data']);
}
$out .= $this->secure($fields);
$out .= $this->formatTemplate('formEnd', []);
$this->_lastAction = $restoreAction;

if ($options['block']) {
if ($options['block'] === true) {
Expand Down
29 changes: 29 additions & 0 deletions tests/TestCase/View/Helper/FormHelperTest.php
View file
Expand Up @@ -6978,6 +6978,35 @@ public function testPostLinkSecurityHash()
$this->assertHtml($expected, $result);
}

/**
* Test that postLink doesn't modify the fields in the containing form.
*
* postLink() calls inside open forms should not modify the field list
* for the form.
*
* @return void
*/
public function testPostLinkSecurityHashBlockMode()
{
$hash = Security::hash(
'/posts/delete/1' .
serialize([]) .
'' .
Security::salt()
);
$hash .= '%3A';
$this->Form->request->params['_Token']['key'] = 'test';

$this->Form->create('Post', ['url' => ['action' => 'add']]);
$this->Form->input('title');
$this->Form->postLink('Delete', '/posts/delete/1', ['block' => true]);
$result = $this->View->fetch('postLink');

$this->assertEquals(['title'], $this->Form->fields);
$this->assertContains($hash, $result, 'Should contain the correct hash.');
$this->assertAttributeEquals('/articles/add', '_lastAction', $this->Form, 'lastAction was should be restored.');
}

/**
* Test that security does not include debug token if debug is false.
*
Expand Down

0 comments on commit 15e9858

Please sign in to comment.