Fix CSRF validation failure.

When the cookie is not present CSRF validation should always fail.
cakephp · May 8, 2015 · 522ed2f · 522ed2f
1 parent dfa7337
commit 522ed2f
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 1 deletion.
diff --git a/src/Controller/Component/CsrfComponent.php b/src/Controller/Component/CsrfComponent.php
@@ -144,6 +144,10 @@ protected function _validateToken(Request $request)
         $post = $request->data($this->_config['field']);
         $header = $request->header('X-CSRF-Token');
 
+        if (empty($cookie)) {
+            throw new ForbiddenException(__d('cake', 'Invalid CSRF token.'));
+        }
+
         if ($post !== $cookie && $header !== $cookie) {
             throw new ForbiddenException(__d('cake', 'Invalid CSRF token.'));
         }

diff --git a/tests/TestCase/Controller/Component/CsrfComponentTest.php b/tests/TestCase/Controller/Component/CsrfComponentTest.php
@@ -163,7 +163,6 @@ public function testValidTokenRequestData($method)
      * @dataProvider httpMethodProvider
      * @expectedException \Cake\Network\Exception\ForbiddenException
      * @return void
-     * @triggers Controller.startup $controller
      */
     public function testInvalidTokenRequestData($method)
     {
@@ -180,6 +179,49 @@ public function testInvalidTokenRequestData($method)
         $this->component->startup($event);
     }
 
+    /**
+     * Test that missing post field fails
+     *
+     * @expectedException \Cake\Network\Exception\ForbiddenException
+     * @return void
+     */
+    public function testInvalidTokenRequestDataMissing()
+    {
+        $_SERVER['REQUEST_METHOD'] = 'POST';
+
+        $controller = $this->getMock('Cake\Controller\Controller', ['redirect']);
+        $controller->request = new Request([
+            'post' => [],
+            'cookies' => ['csrfToken' => 'testing123']
+        ]);
+        $controller->response = new Response();
+
+        $event = new Event('Controller.startup', $controller);
+        $this->component->startup($event);
+    }
+
+    /**
+     * Test that missing header and cookie fails
+     *
+     * @dataProvider httpMethodProvider
+     * @expectedException \Cake\Network\Exception\ForbiddenException
+     * @return void
+     */
+    public function testInvalidTokenMissingCookie($method)
+    {
+        $_SERVER['REQUEST_METHOD'] = $method;
+
+        $controller = $this->getMock('Cake\Controller\Controller', ['redirect']);
+        $controller->request = new Request([
+            'post' => ['_csrfToken' => 'could-be-valid'],
+            'cookies' => []
+        ]);
+        $controller->response = new Response();
+
+        $event = new Event('Controller.startup', $controller);
+        $this->component->startup($event);
+    }
+
     /**
      * Test that CSRF checks are not applied to request action requests.
      *