From e496fc94349c9541d845bcc5013f24667eda0edf Mon Sep 17 00:00:00 2001 From: gwoo Date: Wed, 14 Jan 2009 05:21:26 +0000 Subject: [PATCH] updating auth component and test with additional checks for missing data git-svn-id: https://svn.cakephp.org/repo/branches/1.2.x.x@7979 3807eeeb-6ff5-0310-8944-8be069107fe0 --- cake/libs/controller/components/auth.php | 34 +++++++++++-------- .../libs/controller/components/auth.test.php | 15 +++++++- 2 files changed, 34 insertions(+), 15 deletions(-) diff --git a/cake/libs/controller/components/auth.php b/cake/libs/controller/components/auth.php index 087df9ce32e..b299ec1009f 100644 --- a/cake/libs/controller/components/auth.php +++ b/cake/libs/controller/components/auth.php @@ -297,23 +297,29 @@ function startup(&$controller) { } return false; } - $username = $controller->data[$this->userModel][$this->fields['username']]; - $password = $controller->data[$this->userModel][$this->fields['password']]; - $data = array( - $this->userModel . '.' . $this->fields['username'] => $username, - $this->userModel . '.' . $this->fields['password'] => $password - ); + $isValid = !empty($controller->data[$this->userModel][$this->fields['username']]) && + !empty($controller->data[$this->userModel][$this->fields['password']]); - if ($this->login($data)) { - if ($this->autoRedirect) { - $controller->redirect($this->redirect(), null, true); + if ($isValid) { + $username = $controller->data[$this->userModel][$this->fields['username']]; + $password = $controller->data[$this->userModel][$this->fields['password']]; + + $data = array( + $this->userModel . '.' . $this->fields['username'] => $username, + $this->userModel . '.' . $this->fields['password'] => $password + ); + + if ($this->login($data)) { + if ($this->autoRedirect) { + $controller->redirect($this->redirect(), null, true); + } + return true; } - return true; - } else { - $this->Session->setFlash($this->loginError, 'default', array(), 'auth'); - $controller->data[$this->userModel][$this->fields['password']] = null; } + + $this->Session->setFlash($this->loginError, 'default', array(), 'auth'); + $controller->data[$this->userModel][$this->fields['password']] = null; return false; } else { if (!$this->user()) { @@ -794,7 +800,7 @@ function identify($user = null, $conditions = null) { if (empty($data) || empty($data[$this->userModel])) { return null; } - } elseif (!empty($user)) { + } elseif (!empty($user) && is_string($user)) { $model =& $this->getModel(); $data = $model->find(array_merge(array($model->escapeField() => $user), $conditions)); diff --git a/cake/tests/cases/libs/controller/components/auth.test.php b/cake/tests/cases/libs/controller/components/auth.test.php index 011a466cd0b..54c38bce365 100644 --- a/cake/tests/cases/libs/controller/components/auth.test.php +++ b/cake/tests/cases/libs/controller/components/auth.test.php @@ -822,7 +822,6 @@ function testEmptyUsernameOrPassword() { */ function testInjection() { $this->AuthUser =& new AuthUser(); - Configure::write('debug', 1); $this->AuthUser->id = 2; $this->AuthUser->saveField('password', Security::hash(Configure::read('Security.salt') . 'cake')); @@ -856,6 +855,20 @@ function testInjection() { $this->Controller->Auth->startup($this->Controller); $this->assertTrue(is_null($this->Controller->Auth->user())); + + unset($this->Controller->data['AuthUser']['password']); + $this->Controller->data['AuthUser']['username'] = "1'1"; + $this->Controller->Auth->initialize($this->Controller); + + $this->Controller->Auth->startup($this->Controller); + $this->assertTrue(is_null($this->Controller->Auth->user())); + + unset($this->Controller->data['AuthUser']['username']); + $this->Controller->data['AuthUser']['password'] = "1'1"; + $this->Controller->Auth->initialize($this->Controller); + + $this->Controller->Auth->startup($this->Controller); + $this->assertTrue(is_null($this->Controller->Auth->user())); } /** * test Hashing of passwords