Removing Session deletion of nonce token on blackhole. Fixes possible…

… CSRF risk from multiple submissions of the same invalid data. Refs #214
cakephp · Jan 26, 2010 · fc30405 · fc30405
1 parent c195d65
commit fc30405
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 5 deletions.
diff --git a/cake/libs/controller/components/security.php b/cake/libs/controller/components/security.php
@@ -381,8 +381,6 @@ function generateDigestResponseHash($data) {
  * @see SecurityComponent::$blackHoleCallback
  */
 	function blackHole(&$controller, $error = '') {
-		$this->Session->del('_Token');
-
 		if ($this->blackHoleCallback == null) {
 			$code = 404;
 			if ($error == 'login') {

diff --git a/cake/tests/cases/libs/controller/components/security.test.php b/cake/tests/cases/libs/controller/components/security.test.php
@@ -237,16 +237,16 @@ function testRequireAuthFail() {
 		$this->Controller->Security->startup($this->Controller);
 		$this->assertTrue($this->Controller->failed);
 
-		$this->Controller->Session->write('_Token', array('allowedControllers' => array()));
+		$this->Controller->Session->write('_Token', serialize(array('allowedControllers' => array())));
 		$this->Controller->data = array('username' => 'willy', 'password' => 'somePass');
 		$this->Controller->action = 'posted';
 		$this->Controller->Security->requireAuth('posted');
 		$this->Controller->Security->startup($this->Controller);
 		$this->assertTrue($this->Controller->failed);
 
-		$this->Controller->Session->write('_Token', array(
+		$this->Controller->Session->write('_Token', serialize(array(
 			'allowedControllers' => array('SecurityTest'), 'allowedActions' => array('posted2')
-		));
+		)));
 		$this->Controller->data = array('username' => 'willy', 'password' => 'somePass');
 		$this->Controller->action = 'posted';
 		$this->Controller->Security->requireAuth('posted');
@@ -1145,5 +1145,19 @@ function testSettingTokenForRequestAction() {
 		$this->Controller->Security->startup($this->Controller);
 		$this->assertEqual($this->Controller->params['_Token']['key'], $key);
 	}
+
+/**
+ * test that blackhole doesn't delete the _Token session key so repeat data submissions
+ * stay blackholed.
+ *
+ * @link http://cakephp.lighthouseapp.com/projects/42648/tickets/214
+ * @return void
+ */
+	function testBlackHoleNotDeletingSessionInformation() {
+		$this->Controller->Security->startup($this->Controller);
+
+		$this->Controller->Security->blackHole($this->Controller, 'auth');
+		$this->assertTrue($this->Controller->Security->Session->check('_Token'), '_Token was deleted by blackHole %s');
+	}
 }
 ?>