From c792290d2e368a9a96bdee834cf7fcd8a6bb336a Mon Sep 17 00:00:00 2001
From: chinpei215 <chinpei215@hotmail.com>
Date: Fri, 5 May 2017 19:24:17 +0900
Subject: [PATCH] Fix _validatePost returns true when empty form is submitted

---
 .../Component/SecurityComponent.php           |  5 +----
 .../Component/SecurityComponentTest.php       | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/src/Controller/Component/SecurityComponent.php b/src/Controller/Component/SecurityComponent.php
index f5b401c2648..1db992fd08a 100644
--- a/src/Controller/Component/SecurityComponent.php
+++ b/src/Controller/Component/SecurityComponent.php
@@ -102,7 +102,7 @@ public function startup(Event $event)
         $controller = $event->getSubject();
         $this->session = $controller->request->getSession();
         $this->_action = $controller->request->getParam('action');
-        $hasData = (bool)$controller->request->getData();
+        $hasData = ($controller->request->getData() || $controller->request->is(['put', 'post', 'delete', 'patch']));
         try {
             $this->_secureRequired($controller);
             $this->_authRequired($controller);
@@ -312,9 +312,6 @@ protected function _authRequired(Controller $controller)
      */
     protected function _validatePost(Controller $controller)
     {
-        if (!$controller->request->getData()) {
-            return true;
-        }
         $token = $this->_validToken($controller);
         $hashParts = $this->_hashParts($controller);
         $check = Security::hash(implode('', $hashParts), 'sha1');
diff --git a/tests/TestCase/Controller/Component/SecurityComponentTest.php b/tests/TestCase/Controller/Component/SecurityComponentTest.php
index 1faf4d22f0f..91b585cab21 100644
--- a/tests/TestCase/Controller/Component/SecurityComponentTest.php
+++ b/tests/TestCase/Controller/Component/SecurityComponentTest.php
@@ -554,6 +554,25 @@ public function testValidatePostFormHacking()
         $this->assertFalse($result, 'validatePost passed when fields were missing. %s');
     }
 
+    /**
+     * testValidatePostEmptyForm method
+     *
+     * Test that validatePost fails if empty form is submitted.
+     *
+     * @return void
+     * @triggers Controller.startup $this->Controller
+     */
+    public function testValidatePostEmptyForm()
+    {
+        $this->Controller->request = $this->Controller->request
+            ->withEnv('REQUEST_METHOD', 'POST')
+            ->withParsedBody([]);
+        $event = new Event('Controller.startup', $this->Controller);
+        $this->Security->startup($event);
+        $result = $this->validatePost('AuthSecurityException', '\'_Token\' was not found in request data.');
+        $this->assertFalse($result, 'validatePost passed when empty form is submitted');
+    }
+
     /**
      * testValidatePostObjectDeserialize
      *