Fixing Router::reverse() serializing all of _Token.

Removing CSRF tokens from the parameters SecurityComponent exports. Updating tests for both Router and SecurityComponent. Fixes #1697
cakephp · May 17, 2011 · 6289f20 · 6289f20
1 parent f2e953d
commit 6289f20
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 3 deletions.
diff --git a/lib/Cake/Controller/Component/SecurityComponent.php b/lib/Cake/Controller/Component/SecurityComponent.php
@@ -495,8 +495,11 @@ protected function _generateToken($controller) {
 		if ($this->csrfCheck && ($this->csrfUseOnce || empty($tokenData['csrfTokens'])) ) {
 			$token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
 		}
-		$controller->request->params['_Token'] = $token;
 		$this->Session->write('_Token', $token);
+		$controller->request->params['_Token'] = array(
+			'key' => $token['key'],
+			'disabledFields' => $token['disabledFields']
+		);
 		return true;
 	}
 

diff --git a/lib/Cake/Routing/Router.php b/lib/Cake/Routing/Router.php
@@ -1029,7 +1029,8 @@ public static function reverse($params, $full = false) {
 
 		unset(
 			$params['pass'], $params['named'], $params['paging'], $params['models'], $params['url'], $url['url'],
-			$params['autoRender'], $params['bare'], $params['requested'], $params['return']
+			$params['autoRender'], $params['bare'], $params['requested'], $params['return'],
+			$params['_Token']
 		);
 		$params = array_merge($params, $pass, $named);
 		if (!empty($url)) {

diff --git a/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php b/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php
@@ -996,6 +996,7 @@ function testCsrfSettings() {
 		$token = $this->Security->Session->read('_Token');
 		$this->assertEquals(count($token['csrfTokens']), 1, 'Missing the csrf token.');
 		$this->assertEquals(strtotime('+10 minutes'), current($token['csrfTokens']), 'Token expiry does not match');
+		$this->assertEquals(array('key', 'disabledFields'), array_keys($this->Controller->request->params['_Token']), 'Keys don not match');
 	}
 
 /**

diff --git a/lib/Cake/Test/Case/Routing/RouterTest.php b/lib/Cake/Test/Case/Routing/RouterTest.php
@@ -2285,7 +2285,8 @@ function testRouterReverse() {
 			'autoRender' => 1,
 			'bare' => 1,
 			'return' => 1,
-			'requested' => 1
+			'requested' => 1,
+			'_Token' => array('key' => 'sekret')
 		);
 		$result = Router::reverse($params);
 		$this->assertEqual($result, '/posts/view/1');