Fix _validatePost returns true when empty form is submitted

cakephp · May 5, 2017 · c792290 · c792290
1 parent 1e20350
commit c792290
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 4 deletions.
diff --git a/src/Controller/Component/SecurityComponent.php b/src/Controller/Component/SecurityComponent.php
@@ -102,7 +102,7 @@ public function startup(Event $event)
         $controller = $event->getSubject();
         $this->session = $controller->request->getSession();
         $this->_action = $controller->request->getParam('action');
-        $hasData = (bool)$controller->request->getData();
+        $hasData = ($controller->request->getData() || $controller->request->is(['put', 'post', 'delete', 'patch']));
         try {
             $this->_secureRequired($controller);
             $this->_authRequired($controller);
@@ -312,9 +312,6 @@ protected function _authRequired(Controller $controller)
      */
     protected function _validatePost(Controller $controller)
     {
-        if (!$controller->request->getData()) {
-            return true;
-        }
         $token = $this->_validToken($controller);
         $hashParts = $this->_hashParts($controller);
         $check = Security::hash(implode('', $hashParts), 'sha1');

diff --git a/tests/TestCase/Controller/Component/SecurityComponentTest.php b/tests/TestCase/Controller/Component/SecurityComponentTest.php
@@ -554,6 +554,25 @@ public function testValidatePostFormHacking()
         $this->assertFalse($result, 'validatePost passed when fields were missing. %s');
     }
 
+    /**
+     * testValidatePostEmptyForm method
+     *
+     * Test that validatePost fails if empty form is submitted.
+     *
+     * @return void
+     * @triggers Controller.startup $this->Controller
+     */
+    public function testValidatePostEmptyForm()
+    {
+        $this->Controller->request = $this->Controller->request
+            ->withEnv('REQUEST_METHOD', 'POST')
+            ->withParsedBody([]);
+        $event = new Event('Controller.startup', $this->Controller);
+        $this->Security->startup($event);
+        $result = $this->validatePost('AuthSecurityException', '\'_Token\' was not found in request data.');
+        $this->assertFalse($result, 'validatePost passed when empty form is submitted');
+    }
+
     /**
      * testValidatePostObjectDeserialize
      *