Adding checks to force limit to always be a positive integer. Fixes p…

…otential out of bounds type queries with paginate(). Fixes #418

cake/libs/controller/controller.php

@@ -1168,8 +1168,13 @@ function paginate($object = null, $scope = array(), $whitelist = array()) {
 			$type = $defaults[0];
 			unset($defaults[0]);
 		}
+
 		$options = array_merge(array('page' => 1, 'limit' => 20), $defaults, $options);
-		$options['limit'] = (empty($options['limit']) || !is_numeric($options['limit'])) ? 1 : $options['limit'];
+		$options['limit'] = (int) $options['limit'];
+		if (empty($options['limit']) || $options['limit'] < 1) {
+			$options['limit'] = 1;
+		}
+
 		extract($options);
 
 		if (is_array($scope) && !empty($scope)) {

cake/tests/cases/libs/controller/controller.test.php

@@ -595,6 +595,14 @@ function testPaginate() {
 		$this->assertIdentical($Controller->params['paging']['ControllerPost']['pageCount'], 3);
 		$this->assertIdentical($Controller->params['paging']['ControllerPost']['prevPage'], false);
 		$this->assertIdentical($Controller->params['paging']['ControllerPost']['nextPage'], true);
+
+		$Controller->passedArgs = array();
+		$Controller->paginate = array('limit' => '-1');
+		$Controller->paginate('ControllerPost');
+		$this->assertIdentical($Controller->params['paging']['ControllerPost']['page'], 1);
+		$this->assertIdentical($Controller->params['paging']['ControllerPost']['pageCount'], 3);
+		$this->assertIdentical($Controller->params['paging']['ControllerPost']['prevPage'], false);
+		$this->assertIdentical($Controller->params['paging']['ControllerPost']['nextPage'], true);
 	}
 
 /**