Merge branch 'generate-token' into 2.1

cakephp · Dec 4, 2011 · c6f492d · c6f492d
2 parents 545f4d2 + 9296f77
commit c6f492d
Show file tree

Hide file tree

Showing 2 changed files with 67 additions and 11 deletions.
diff --git a/lib/Cake/Controller/Component/SecurityComponent.php b/lib/Cake/Controller/Component/SecurityComponent.php
@@ -157,6 +157,19 @@ class SecurityComponent extends Component {
  */
 	public $csrfUseOnce = true;
 
+/**
+ * Control the number of tokens a user can keep open.
+ * This is most useful with one-time use tokens.  Since new tokens
+ * are created on each request, having a hard limit on the number of open tokens
+ * can be useful in controlling the size of the session file.
+ *
+ * When tokens are evicted, the oldest ones will be removed, as they are the most likely
+ * to be dead/expired.
+ *
+ * @var integer
+ */
+	public $csrfLimit = 100;
+
 /**
  * Other components used by the Security component
  *
@@ -207,7 +220,7 @@ public function startup($controller) {
 				return $this->blackHole($controller, 'csrf');
 			}
 		}
-		$this->_generateToken($controller);
+		$this->generateToken($controller->request);
 		if ($isPost) {
 			unset($controller->request->data['_Token']);
 		}
@@ -469,16 +482,15 @@ protected function _validatePost($controller) {
 	}
 
 /**
- * Add authentication key for new form posts
+ * Manually add CSRF token information into the provided request object.
  *
- * @param Controller $controller Instantiating controller
- * @return boolean Success
+ * @param CakeRequest $request The request object to add into.
+ * @return boolean
  */
-	protected function _generateToken($controller) {
-		if (isset($controller->request->params['requested']) && $controller->request->params['requested'] === 1) {
+	public function generateToken(CakeRequest $request) {
+		if (isset($request->params['requested']) && $request->params['requested'] === 1) {
 			if ($this->Session->check('_Token')) {
-				$tokenData = $this->Session->read('_Token');
-				$controller->request->params['_Token'] = $tokenData;
+				$request->params['_Token'] = $this->Session->read('_Token');
 			}
 			return false;
 		}
@@ -498,15 +510,15 @@ protected function _generateToken($controller) {
 				$token['csrfTokens'] = $this->_expireTokens($tokenData['csrfTokens']);
 			}
 		}
-		if ($this->csrfCheck && ($this->csrfUseOnce || empty($token['csrfTokens'])) ) {
+		if ($this->csrfUseOnce || empty($token['csrfTokens'])) {
 			$token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
 		}
-		if ($this->csrfCheck && $this->csrfUseOnce == false) {
+		if (!$this->csrfUseOnce) {
 			$csrfTokens = array_keys($token['csrfTokens']);
 			$token['key'] = $csrfTokens[0];
 		}
 		$this->Session->write('_Token', $token);
-		$controller->request->params['_Token'] = array(
+		$request->params['_Token'] = array(
 			'key' => $token['key'],
 			'unlockedFields' => $token['unlockedFields']
 		);
@@ -542,6 +554,10 @@ protected function _validateCsrf($controller) {
  */
 	protected function _expireTokens($tokens) {
 		$now = time();
+		$overflow = count($tokens) - $this->csrfLimit;
+		if ($overflow > 0) {
+			$tokens = array_slice($tokens, $overflow + 1, null, true);
+		}
 		foreach ($tokens as $nonce => $expires) {
 			if ($expires < $now) {
 				unset($tokens[$nonce]);

diff --git a/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php b/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php
@@ -1277,4 +1277,44 @@ public function testCsrfNotUseOnceValidationLeavingToken() {
 		$token = $this->Security->Session->read('_Token');
 		$this->assertTrue(isset($token['csrfTokens']['nonce1']), 'Token was consumed');
 	}
+
+/**
+ * Test generateToken()
+ *
+ * @return void
+ */
+	public function testGenerateToken() {
+		$request = $this->Controller->request;
+		$this->Security->generateToken($request);
+
+		$this->assertNotEmpty($request->params['_Token']);
+		$this->assertTrue(isset($request->params['_Token']['unlockedFields']));
+		$this->assertTrue(isset($request->params['_Token']['key']));
+	}
+
+/**
+ * Test the limiting of CSRF tokens.
+ *
+ * @return void
+ */
+	public function testCsrfLimit() {
+		$this->Security->csrfLimit = 3;
+		$time = strtotime('+10 minutes');
+		$tokens = array(
+			'1' => $time,
+			'2' => $time,
+			'3' => $time,
+			'4' => $time,
+			'5' => $time,
+		);
+		$this->Security->Session->write('_Token', array('csrfTokens' => $tokens));
+		$this->Security->generateToken($this->Controller->request);
+		$result = $this->Security->Session->read('_Token.csrfTokens');
+
+		$this->assertFalse(isset($result['1']));
+		$this->assertFalse(isset($result['2']));
+		$this->assertFalse(isset($result['3']));
+		$this->assertTrue(isset($result['4']));
+		$this->assertTrue(isset($result['5']));
+	}
 }