Skip to content

Commit fc30405

Browse files
markstorymarkstory
committed
Removing Session deletion of nonce token on blackhole. Fixes possible CSRF risk from multiple submissions of the same invalid data. Refs #214 
1 parent c195d65 commit fc30405

File tree

2 files changed

+17
-5
lines changed

2 files changed

+17
-5
lines changed

cake/libs/controller/components/security.php

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -381,8 +381,6 @@ function generateDigestResponseHash($data) {
381381
* @see SecurityComponent::$blackHoleCallback
382382
*/
383383
function blackHole(&$controller, $error = '') {
384-
$this->Session->del('_Token');
385-
386384
if ($this->blackHoleCallback == null) {
387385
$code = 404;
388386
if ($error == 'login') {

cake/tests/cases/libs/controller/components/security.test.php

Lines changed: 17 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -237,16 +237,16 @@ function testRequireAuthFail() {
237237
$this->Controller->Security->startup($this->Controller);
238238
$this->assertTrue($this->Controller->failed);
239239

240-
$this->Controller->Session->write('_Token', array('allowedControllers' => array()));
240+
$this->Controller->Session->write('_Token', serialize(array('allowedControllers' => array())));
241241
$this->Controller->data = array('username' => 'willy', 'password' => 'somePass');
242242
$this->Controller->action = 'posted';
243243
$this->Controller->Security->requireAuth('posted');
244244
$this->Controller->Security->startup($this->Controller);
245245
$this->assertTrue($this->Controller->failed);
246246

247-
$this->Controller->Session->write('_Token', array(
247+
$this->Controller->Session->write('_Token', serialize(array(
248248
'allowedControllers' => array('SecurityTest'), 'allowedActions' => array('posted2')
249-
));
249+
)));
250250
$this->Controller->data = array('username' => 'willy', 'password' => 'somePass');
251251
$this->Controller->action = 'posted';
252252
$this->Controller->Security->requireAuth('posted');
@@ -1145,5 +1145,19 @@ function testSettingTokenForRequestAction() {
11451145
$this->Controller->Security->startup($this->Controller);
11461146
$this->assertEqual($this->Controller->params['_Token']['key'], $key);
11471147
}
1148+
1149+
/**
1150+
* test that blackhole doesn't delete the _Token session key so repeat data submissions
1151+
* stay blackholed.
1152+
*
1153+
* @link http://cakephp.lighthouseapp.com/projects/42648/tickets/214
1154+
* @return void
1155+
*/
1156+
function testBlackHoleNotDeletingSessionInformation() {
1157+
$this->Controller->Security->startup($this->Controller);
1158+
1159+
$this->Controller->Security->blackHole($this->Controller, 'auth');
1160+
$this->assertTrue($this->Controller->Security->Session->check('_Token'), '_Token was deleted by blackHole %s');
1161+
}
11481162
}
11491163
?>

0 commit comments

Comments
 (0)