Fix security component failing on csrf tokens.

The `_csrfToken` field should be ignored when validating post data. Refs #5100
cakephp · Nov 7, 2014 · a330584 · a330584
1 parent 2109e03
commit a330584
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/src/Controller/Component/SecurityComponent.php b/src/Controller/Component/SecurityComponent.php
@@ -289,7 +289,7 @@ protected function _validatePost(Controller $controller) {
 		if (strpos($token, ':')) {
 			list($token, $locked) = explode(':', $token, 2);
 		}
-		unset($check['_Token']);
+		unset($check['_Token'], $check['_csrfToken']);
 
 		$locked = explode('|', $locked);
 		$unlocked = explode('|', $unlocked);

diff --git a/tests/TestCase/Controller/Component/SecurityComponentTest.php b/tests/TestCase/Controller/Component/SecurityComponentTest.php
@@ -426,6 +426,26 @@ public function testValidatePostObjectDeserialize() {
 		$this->assertFalse($result, 'validatePost passed when key was missing. %s');
 	}
 
+/**
+ * Tests validation post data ignores `_csrfToken`.
+ *
+ * @return void
+ */
+	public function testValidatePostIgnoresCsrfToken() {
+		$event = new Event('Controller.startup', $this->Controller);
+		$this->Controller->Security->startup($event);
+
+		$fields = '8e26ef05379e5402c2c619f37ee91152333a0264%3A';
+		$unlocked = '';
+
+		$this->Controller->request->data = array(
+			'_csrfToken' => 'abc123',
+			'Model' => array('multi_field' => array('1', '3')),
+			'_Token' => compact('fields', 'unlocked')
+		);
+		$this->assertTrue($this->Controller->Security->validatePost($this->Controller));
+	}
+
 /**
  * Tests validation of checkbox arrays
  *