From 67d1c9890ed8e80b6cfaf9b1e2d88d1a59673dda Mon Sep 17 00:00:00 2001
From: mark_story <mark@mark-story.com>
Date: Tue, 11 Aug 2015 12:22:00 -0400
Subject: [PATCH] Disallow direct controller names

Controller names with the default routing should not allow direct
plugin, or fully qualified namespace names.
---
 .../Filter/ControllerFactoryFilter.php        |  3 ++
 tests/TestCase/Routing/DispatcherTest.php     | 49 ++++++++++++++++++-
 2 files changed, 51 insertions(+), 1 deletion(-)

diff --git a/src/Routing/Filter/ControllerFactoryFilter.php b/src/Routing/Filter/ControllerFactoryFilter.php
index 284a909fc09..02818281470 100644
--- a/src/Routing/Filter/ControllerFactoryFilter.php
+++ b/src/Routing/Filter/ControllerFactoryFilter.php
@@ -73,6 +73,9 @@ protected function _getController($request, $response)
             );
             $namespace .= '/' . implode('/', $prefixes);
         }
+        if (strpos($controller, '\\') !== false || strpos($controller, '.') !== false) {
+            return false;
+        }
         $className = false;
         if ($pluginPath . $controller) {
             $className = App::classname($pluginPath . $controller, $namespace, 'Controller');
diff --git a/tests/TestCase/Routing/DispatcherTest.php b/tests/TestCase/Routing/DispatcherTest.php
index bd79368da64..7a5796f7c18 100644
--- a/tests/TestCase/Routing/DispatcherTest.php
+++ b/tests/TestCase/Routing/DispatcherTest.php
@@ -23,7 +23,6 @@
 use Cake\Network\Session;
 use Cake\Routing\Dispatcher;
 use Cake\Routing\Filter\ControllerFactoryFilter;
-use Cake\Routing\Router;
 use Cake\TestSuite\TestCase;
 use Cake\Utility\Inflector;
 
@@ -409,6 +408,54 @@ public function testPrefixDispatchPlugin()
         );
     }
 
+    /**
+     * test forbidden controller names.
+     *
+     * @expectedException \Cake\Routing\Exception\MissingControllerException
+     * @expectedExceptionMessage Controller class TestPlugin.Tests could not be found.
+     * @return void
+     */
+    public function testDispatchBadPluginName()
+    {
+        Plugin::load('TestPlugin');
+
+        $request = new Request([
+            'url' => 'TestPlugin.Tests/index',
+            'params' => [
+                'plugin' => '',
+                'controller' => 'TestPlugin.Tests',
+                'action' => 'index',
+                'pass' => [],
+                'return' => 1
+            ]
+        ]);
+        $response = $this->getMock('Cake\Network\Response');
+        $this->dispatcher->dispatch($request, $response);
+    }
+
+    /**
+     * test forbidden controller names.
+     *
+     * @expectedException \Cake\Routing\Exception\MissingControllerException
+     * @expectedExceptionMessage Controller class TestApp\Controller\PostsController could not be found.
+     * @return void
+     */
+    public function testDispatchBadName()
+    {
+        $request = new Request([
+            'url' => 'TestApp%5CController%5CPostsController/index',
+            'params' => [
+                'plugin' => '',
+                'controller' => 'TestApp\Controller\PostsController',
+                'action' => 'index',
+                'pass' => [],
+                'return' => 1
+            ]
+        ]);
+        $response = $this->getMock('Cake\Network\Response');
+        $this->dispatcher->dispatch($request, $response);
+    }
+
     /**
      * Test dispatcher filters being called.
      *