Fixing case where it was possible to pass array data to FormAuthenticate

fields
cakephp · Apr 24, 2013 · db6dd18 · db6dd18
1 parent e144afe
commit db6dd18
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 5 deletions.
diff --git a/lib/Cake/Controller/Component/Auth/FormAuthenticate.php b/lib/Cake/Controller/Component/Auth/FormAuthenticate.php
@@ -49,11 +49,11 @@ protected function _checkFields(CakeRequest $request, $model, $fields) {
 		if (empty($request->data[$model])) {
 			return false;
 		}
-		if (
-			empty($request->data[$model][$fields['username']]) ||
-			empty($request->data[$model][$fields['password']])
-		) {
-			return false;
+		foreach (array($fields['username'], $fields['password']) as $field) {
+			$value = $request->data($model . '.' . $field);
+			if (empty($value) || !is_string($value)) {
+				return false;
+			}
 		}
 		return true;
 	}

diff --git a/lib/Cake/Test/Case/Controller/Component/Auth/FormAuthenticateTest.php b/lib/Cake/Test/Case/Controller/Component/Auth/FormAuthenticateTest.php
@@ -115,6 +115,28 @@ public function testAuthenticatePasswordIsFalse() {
 		$this->assertFalse($this->auth->authenticate($request, $this->response));
 	}
 
+/**
+ * test authenticate field is not string
+ *
+ * @return void
+ */
+	public function testAuthenticateFieldsAreNotString() {
+		$request = new CakeRequest('posts/index', false);
+		$request->data = array(
+			'User' => array(
+				'user' => array('mariano', 'phpnut'),
+				'password' => 'my password'
+		));
+		$this->assertFalse($this->auth->authenticate($request, $this->response));
+
+		$request->data = array(
+			'User' => array(
+				'user' => 'mariano',
+				'password' => array('password1', 'password2')
+		));
+		$this->assertFalse($this->auth->authenticate($request, $this->response));
+	}
+
 /**
  * test the authenticate method
  *