Skip to content

Commit

Permalink
Update FormHelper to use new CSRF tokens.
Browse files Browse the repository at this point in the history 
I think it works, hard to tell as the FormHelper tests don't actually
run right now.
  • Loading branch information
@markstory
markstory committed Nov 8, 2013
1 parent fc6b93d commit a6ef60f
Show file tree
Hide file tree
Showing 2 changed files with 47 additions and 47 deletions.
79 changes: 39 additions & 40 deletions Cake/Test/TestCase/View/Helper/FormHelperTest.php
View file
Expand Up @@ -580,15 +580,15 @@ public function tearDown() {
* @return void
*/
public function testCreateWithSecurity() {
$this->Form->request['_Token'] = array('key' => 'testKey');
$this->Form->request->params['_csrfToken'] = 'testKey';
$encoding = strtolower(Configure::read('App.encoding'));
$result = $this->Form->create('Contact', array('url' => '/contacts/add'));
$expected = array(
'form' => array('method' => 'post', 'action' => '/contacts/add', 'accept-charset' => $encoding, 'id' => 'ContactAddForm'),
'div' => array('style' => 'display:none;'),
array('input' => array('type' => 'hidden', 'name' => '_method', 'value' => 'POST')),
array('input' => array(
'type' => 'hidden', 'name' => '_Token[key]', 'value' => 'testKey', 'id'
'type' => 'hidden', 'name' => '_csrfToken', 'value' => 'testKey', 'id'
)),
'/div'
);
Expand All @@ -607,13 +607,13 @@ public function testCreateWithSecurity() {
* @return void
*/
public function testCreateEndGetNoSecurity() {
$this->Form->request['_Token'] = array('key' => 'testKey');
$this->Form->request->params['_csrfToken'] = 'testKey';
$encoding = strtolower(Configure::read('App.encoding'));
$result = $this->Form->create('Contact', array('type' => 'get', 'url' => '/contacts/add'));
$this->assertNotContains('Token', $result);
$this->assertNotContains('testKey', $result);

$result = $this->Form->end('Save');
$this->assertNotContains('Token', $result);
$this->assertNotContains('testKey', $result);
}

/**
Expand All @@ -633,7 +633,7 @@ public function testCreateClearingFields() {
* @return void
*/
public function testValidateHashNoModel() {
$this->Form->request['_Token'] = array('key' => 'foo');
$this->Form->request->params['_csrfToken'] = 'foo';
$result = $this->Form->secure(array('anything'));
$this->assertRegExp('/540ac9c60d323c22bafe997b72c0790f39a8bdef/', $result);
}
Expand Down Expand Up @@ -672,7 +672,7 @@ public function testDuplicateFieldNameResolution() {
* @return void
*/
public function testNoCheckboxLocking() {
$this->Form->request['_Token'] = array('key' => 'foo');
$this->Form->request->params['_csrfToken'] = 'foo';
$this->assertSame(array(), $this->Form->fields);

$this->Form->checkbox('check', array('value' => '1'));
Expand All @@ -690,7 +690,7 @@ public function testFormSecurityFields() {
$key = 'testKey';
$fields = array('Model.password', 'Model.username', 'Model.valid' => '0');

$this->Form->request['_Token'] = array('key' => $key);
$this->Form->request->params['_csrfToken'] = $key;
$result = $this->Form->secure($fields);

$hash = Security::hash(serialize($fields) . Configure::read('Security.salt'));
Expand Down Expand Up @@ -852,7 +852,7 @@ public function testFormSecurityMultipleFields() {
'Model.0.valid' => '0', 'Model.1.password', 'Model.1.username',
'Model.1.hidden' => 'value', 'Model.1.valid' => '0'
);
$this->Form->request['_Token'] = array('key' => $key);
$this->Form->request->params['_csrfToken'] = $key;
$result = $this->Form->secure($fields);

$hash = '51e3b55a6edd82020b3f29c9ae200e14bbeb7ee5%3AModel.0.hidden%7CModel.0.valid';
Expand Down Expand Up @@ -882,7 +882,7 @@ public function testFormSecurityMultipleFields() {
*/
public function testFormSecurityMultipleSubmitButtons() {
$key = 'testKey';
$this->Form->request['_Token'] = array('key' => $key);
$this->Form->request->params['_csrfToken'] = $key;

$this->Form->create('Addresses');
$this->Form->input('Address.title');
Expand Down Expand Up @@ -926,7 +926,7 @@ public function testFormSecurityMultipleSubmitButtons() {
*/
public function testSecurityButtonNestedNamed() {
$key = 'testKey';
$this->Form->request['_Token'] = array('key' => $key);
$this->Form->request->params['_csrfToken'] = $key;

$this->Form->create('Addresses');
$this->Form->button('Test', array('type' => 'submit', 'name' => 'Address[button]'));
Expand All @@ -941,7 +941,7 @@ public function testSecurityButtonNestedNamed() {
*/
public function testSecuritySubmitNestedNamed() {
$key = 'testKey';
$this->Form->request['_Token'] = array('key' => $key);
$this->Form->request->params['_csrfToken'] = $key;

$this->Form->create('Addresses');
$this->Form->submit('Test', array('type' => 'submit', 'name' => 'Address[button]'));
Expand All @@ -956,7 +956,7 @@ public function testSecuritySubmitNestedNamed() {
*/
public function testSecuritySubmitImageNoName() {
$key = 'testKey';
$this->Form->request['_Token'] = array('key' => $key);
$this->Form->request->params['_csrfToken'] = $key;

$this->Form->create('User');
$result = $this->Form->submit('save.png');
Expand All @@ -976,7 +976,7 @@ public function testSecuritySubmitImageNoName() {
*/
public function testSecuritySubmitImageName() {
$key = 'testKey';
$this->Form->request['_Token'] = array('key' => $key);
$this->Form->request->params['_csrfToken'] = $key;

$this->Form->create('User');
$result = $this->Form->submit('save.png', array('name' => 'test'));
Expand All @@ -998,8 +998,7 @@ public function testSecuritySubmitImageName() {
*/
public function testFormSecurityMultipleInputFields() {
$key = 'testKey';

$this->Form->request['_Token'] = array('key' => $key);
$this->Form->request->params['_csrfToken'] = $key;
$this->Form->create('Addresses');

$this->Form->hidden('Addresses.0.id', array('value' => '123456'));
Expand Down Expand Up @@ -1046,8 +1045,8 @@ public function testFormSecurityMultipleInputFields() {
*/
public function testFormSecurityArrayFields() {
$key = 'testKey';
$this->Form->request->params['_csrfToken'] = $key;

$this->Form->request->params['_Token']['key'] = $key;
$this->Form->create('Address');
$this->Form->input('Address.primary.1');
$this->assertEquals('Address.primary', $this->Form->fields[0]);
Expand All @@ -1065,8 +1064,8 @@ public function testFormSecurityArrayFields() {
*/
public function testFormSecurityMultipleInputDisabledFields() {
$key = 'testKey';
$this->Form->request->params['_csrfToken'] = $key;
$this->Form->request->params['_Token'] = array(
'key' => $key,
'unlockedFields' => array('first_name', 'address')
);
$this->Form->create();
Expand Down Expand Up @@ -1113,8 +1112,8 @@ public function testFormSecurityMultipleInputDisabledFields() {
*/
public function testFormSecurityInputUnlockedFields() {
$key = 'testKey';
$this->Form->request->params['_csrfToken'] = $key;
$this->Form->request['_Token'] = array(
'key' => $key,
'unlockedFields' => array('first_name', 'address')
);
$this->Form->create();
Expand Down Expand Up @@ -1159,7 +1158,7 @@ public function testFormSecurityInputUnlockedFields() {
* @return void
*/
public function testFormSecureWithCustomNameAttribute() {
$this->Form->request->params['_Token']['key'] = 'testKey';
$this->Form->request->params['_csrfToken'] = 'testKey';

$this->Form->text('UserForm.published', array('name' => 'User[custom]'));
$this->assertEquals('User.custom', $this->Form->fields[0]);
Expand All @@ -1176,7 +1175,7 @@ public function testFormSecureWithCustomNameAttribute() {
* @return void
*/
public function testFormSecuredInput() {
$this->Form->request['_Token'] = array('key' => 'testKey');
$this->Form->request->params['_csrfToken'] = 'testKey';

$result = $this->Form->create('Contact', array('url' => '/contacts/add'));
$encoding = strtolower(Configure::read('App.encoding'));
Expand All @@ -1185,7 +1184,7 @@ public function testFormSecuredInput() {
'div' => array('style' => 'display:none;'),
array('input' => array('type' => 'hidden', 'name' => '_method', 'value' => 'POST')),
array('input' => array(
'type' => 'hidden', 'name' => '_Token[key]',
'type' => 'hidden', 'name' => '_csrfToken',
'value' => 'testKey', 'id' => 'preg:/Token\d+/'
)),
'/div'
Expand Down Expand Up @@ -1284,7 +1283,7 @@ public function testFormSecuredInput() {
* @return void
*/
public function testSecuredInputCustomName() {
$this->Form->request['_Token'] = array('key' => 'testKey');
$this->Form->request->params['_csrfToken'] = 'testKey';
$this->assertEquals(array(), $this->Form->fields);

$this->Form->input('text_input', array(
Expand All @@ -1308,7 +1307,7 @@ public function testSecuredInputCustomName() {
* @return void
*/
public function testFormSecuredFileInput() {
$this->Form->request['_Token'] = array('key' => 'testKey');
$this->Form->request->params['_csrfToken'] = 'testKey';
$this->assertEquals(array(), $this->Form->fields);

$this->Form->file('Attachment.file');
Expand All @@ -1325,7 +1324,7 @@ public function testFormSecuredFileInput() {
* @return void
*/
public function testFormSecuredMultipleSelect() {
$this->Form->request['_Token'] = array('key' => 'testKey');
$this->Form->request->params['_csrfToken'] = 'testKey';
$this->assertEquals(array(), $this->Form->fields);
$options = array('1' => 'one', '2' => 'two');

Expand All @@ -1344,7 +1343,7 @@ public function testFormSecuredMultipleSelect() {
* @return void
*/
public function testFormSecuredRadio() {
$this->Form->request['_Token'] = array('key' => 'testKey');
$this->Form->request->params['_csrfToken'] = 'testKey';
$this->assertEquals(array(), $this->Form->fields);
$options = array('1' => 'option1', '2' => 'option2');

Expand All @@ -1359,7 +1358,7 @@ public function testFormSecuredRadio() {
* @return void
*/
public function testFormSecuredAndDisabledNotAssoc() {
$this->Form->request['_Token'] = array('key' => 'testKey');
$this->Form->request->params['_csrfToken'] = 'testKey';

$this->Form->select('Model.select', array(1, 2), array('disabled'));
$this->Form->checkbox('Model.checkbox', array('disabled'));
Expand All @@ -1381,7 +1380,7 @@ public function testFormSecuredAndDisabledNotAssoc() {
* @return void
*/
public function testFormSecuredAndDisabled() {
$this->Form->request['_Token'] = array('key' => 'testKey');
$this->Form->request->params['_csrfToken'] = 'testKey';

$this->Form->checkbox('Model.checkbox', array('disabled' => true));
$this->Form->text('Model.text', array('disabled' => true));
Expand All @@ -1408,8 +1407,8 @@ public function testFormSecuredAndDisabled() {
* @return void
*/
public function testDisableSecurityUsingForm() {
$this->Form->request->params['_csrfToken'] = 'testKey';
$this->Form->request['_Token'] = array(
'key' => 'testKey',
'disabledFields' => array()
);
$this->Form->create();
Expand All @@ -1435,8 +1434,8 @@ public function testDisableSecurityUsingForm() {
* @return void
*/
public function testUnlockFieldAddsToList() {
$this->Form->request->params['_csrfToken'] = 'testKey';
$this->Form->request['_Token'] = array(
'key' => 'testKey',
'unlockedFields' => array()
);
$this->Form->create('Contact');
Expand All @@ -1453,8 +1452,8 @@ public function testUnlockFieldAddsToList() {
* @return void
*/
public function testUnlockFieldRemovingFromFields() {
$this->Form->request->params['_csrfToken'] = 'testKey';
$this->Form->request['_Token'] = array(
'key' => 'testKey',
'unlockedFields' => array()
);
$this->Form->create('Contact');
Expand Down Expand Up @@ -5121,7 +5120,7 @@ public function testSelectMultipleCheckboxDiv() {
* @return void
*/
public function testSelectMultipleCheckboxSecurity() {
$this->Form->request['_Token'] = array('key' => 'testKey');
$this->Form->request->params['_csrfToken'] = 'testKey';
$this->assertEquals(array(), $this->Form->fields);

$result = $this->Form->select(
Expand All @@ -5142,7 +5141,7 @@ public function testSelectMultipleCheckboxSecurity() {
* @return void
*/
public function testSelectMultipleSecureWithNoOptions() {
$this->Form->request['_Token'] = array('key' => 'testkey');
$this->Form->request->params['_csrfToken'] = 'testkey';
$this->assertEquals(array(), $this->Form->fields);

$this->Form->select(
Expand All @@ -5159,7 +5158,7 @@ public function testSelectMultipleSecureWithNoOptions() {
* @return void
*/
public function testSelectNoSecureWithNoOptions() {
$this->Form->request['_Token'] = array('key' => 'testkey');
$this->Form->request->params['_csrfToken'] = 'testkey';
$this->assertEquals(array(), $this->Form->fields);

$this->Form->select(
Expand Down Expand Up @@ -7071,7 +7070,7 @@ public function testButton() {
* @return void
*/
public function testButtonUnlockedByDefault() {
$this->Form->request->params['_Token']['key'] = 'secured';
$this->Form->request->params['_csrfToken'] = 'secured';
$this->Form->button('Save', array('name' => 'save'));
$this->Form->button('Clear');

Expand Down Expand Up @@ -7107,7 +7106,7 @@ public function testPostButton() {
* @return void
*/
public function testSecurePostButton() {
$this->Form->request->params['_Token'] = array('key' => 'testkey');
$this->Form->request->params['_csrfToken'] = 'testkey';

$result = $this->Form->postButton('Delete', '/posts/delete/1');
$expected = array(
Expand All @@ -7116,7 +7115,7 @@ public function testSecurePostButton() {
),
array('div' => array('style' => 'display:none;')),
array('input' => array('type' => 'hidden', 'name' => '_method', 'value' => 'POST')),
array('input' => array('type' => 'hidden', 'name' => '_Token[key]', 'value' => 'testkey', 'id' => 'preg:/Token\d+/')),
array('input' => array('type' => 'hidden', 'name' => '_csrfToken', 'value' => 'testkey', 'id' => 'preg:/Token\d+/')),
'/div',
'button' => array('type' => 'submit'),
'Delete',
Expand Down Expand Up @@ -7228,7 +7227,7 @@ public function testPostLink() {
* @return void
*/
public function testSecurePostLink() {
$this->Form->request->params['_Token'] = array('key' => 'testkey');
$this->Form->request->params['_csrfToken'] = 'testkey';

$result = $this->Form->postLink('Delete', '/posts/delete/1');
$expected = array(
Expand All @@ -7237,7 +7236,7 @@ public function testSecurePostLink() {
'name' => 'preg:/post_\w+/', 'id' => 'preg:/post_\w+/', 'style' => 'display:none;'
),
array('input' => array('type' => 'hidden', 'name' => '_method', 'value' => 'POST')),
array('input' => array('type' => 'hidden', 'name' => '_Token[key]', 'value' => 'testkey', 'id' => 'preg:/Token\d+/')),
array('input' => array('type' => 'hidden', 'name' => '_csrfToken', 'value' => 'testkey', 'id' => 'preg:/Token\d+/')),
'div' => array('style' => 'display:none;'),
array('input' => array('type' => 'hidden', 'name' => '_Token[fields]', 'value' => 'preg:/[\w\d%]+/', 'id' => 'preg:/TokenFields\d+/')),
array('input' => array('type' => 'hidden', 'name' => '_Token[unlocked]', 'value' => '', 'id' => 'preg:/TokenUnlocked\d+/')),
Expand Down Expand Up @@ -7433,7 +7432,7 @@ public function testSubmitImage() {
* @return void
*/
public function testSubmitUnlockedByDefault() {
$this->Form->request->params['_Token']['key'] = 'secured';
$this->Form->request->params['_csrfToken'] = 'secured';
$this->Form->submit('Go go');
$this->Form->submit('Save', array('name' => 'save'));

Expand Down
15 changes: 8 additions & 7 deletions Cake/View/Helper/FormHelper.php
View file
Expand Up @@ -456,22 +456,23 @@ public function create($model = null, $options = array()) {
}

/**
* Return a CSRF input if the _Token is present.
* Used to secure forms in conjunction with SecurityComponent
* Return a CSRF input if the request data is present.
* Used to secure forms in conjunction with CsrfComponent &
* SecurityComponent
*
* @return string
*/
protected function _csrfField() {
if (empty($this->request->params['_Token'])) {
return '';
}
if (!empty($this->request['_Token']['unlockedFields'])) {
foreach ((array)$this->request['_Token']['unlockedFields'] as $unlocked) {
$this->_unlockedFields[] = $unlocked;
}
}
return $this->hidden('_Token.key', array(
'value' => $this->request->params['_Token']['key'], 'id' => 'Token' . mt_rand(),
if (empty($this->request->params['_csrfToken'])) {
return '';
}
return $this->hidden('_csrfToken', array(
'value' => $this->request->params['_csrfToken'], 'id' => 'Token' . mt_rand(),
'secure' => static::SECURE_SKIP
));
}
Expand Down

0 comments on commit a6ef60f

Please sign in to comment.