Skip to content
Permalink
Browse files

Forbid direct prefix access with mixed casing.

Changing the casing up should not allow prefix method access.
  • Loading branch information...
markstory committed Aug 6, 2015
1 parent 01b6374 commit 056f24a77428ad35e23cab6840a72b7c25c4ccc0
Showing with 21 additions and 2 deletions.
  1. +2 −2 lib/Cake/Controller/Controller.php
  2. +19 −0 lib/Cake/Test/Case/Controller/ControllerTest.php
@@ -514,12 +514,12 @@ protected function _isPrivateAction(ReflectionMethod $method, CakeRequest $reque
!$method->isPublic() ||
!in_array($method->name, $this->methods)
);
$prefixes = Router::prefixes();
$prefixes = array_map('strtolower', Router::prefixes());
if (!$privateAction && !empty($prefixes)) {
if (empty($request->params['prefix']) && strpos($request->params['action'], '_') > 0) {
list($prefix) = explode('_', $request->params['action']);
$privateAction = in_array($prefix, $prefixes);
$privateAction = in_array(strtolower($prefix), $prefixes);
}
}
return $privateAction;
@@ -1447,6 +1447,25 @@ public function testInvokeActionPrefixProtection() {
$Controller->invokeAction($url);
}
/**
* test invoking controller methods.
*
* @expectedException PrivateActionException
* @expectedExceptionMessage Private Action TestController::Admin_add() is not directly accessible.
* @return void
*/
public function testInvokeActionPrefixProtectionCasing() {
Router::reload();
Router::connect('/admin/:controller/:action/*', array('prefix' => 'admin'));
$url = new CakeRequest('test/Admin_add/');
$url->addParams(array('controller' => 'test_controller', 'action' => 'Admin_add'));
$response = $this->getMock('CakeResponse');
$Controller = new TestController($url, $response);
$Controller->invokeAction($url);
}
/**
* test invoking controller methods.
*

0 comments on commit 056f24a

Please sign in to comment.
You can’t perform that action at this time.