Browse files

Blackhole requests when the action is the blackhole callback.

When a user requests the blackhole callback as an action we should
blackhole that request. The blackhole callback should not be URL
accessible.

Fixes #3496
  • Loading branch information...
1 parent 2ba117e commit 1117ad2f1ce7482bc7d1c19ee5055c5ee63567c9 @markstory markstory committed Dec 29, 2012
View
9 lib/Cake/Controller/Component/SecurityComponent.php
@@ -218,6 +218,10 @@ public function startup(Controller $controller) {
$controller->request->params['requested'] != 1
);
+ if ($this->_action == $this->blackHoleCallback) {
+ return $this->blackhole($controller, 'auth');
+ }
+
if ($isPost && $isNotRequestAction && $this->validatePost) {
if ($this->_validatePost($controller) === false) {
return $this->blackHole($controller, 'auth');
@@ -309,11 +313,10 @@ public function requireAuth() {
* @throws BadRequestException
*/
public function blackHole(Controller $controller, $error = '') {
- if ($this->blackHoleCallback == null) {
+ if (!$this->blackHoleCallback) {
throw new BadRequestException(__d('cake_dev', 'The request has been black-holed'));
- } else {
- return $this->_callback($controller, $this->blackHoleCallback, array($error));
}
+ return $this->_callback($controller, $this->blackHoleCallback, array($error));
}
/**
View
16 lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php
@@ -195,6 +195,22 @@ public function testBlackholeWithBrokenCallback() {
}
/**
+ * Ensure that directly requesting the blackholeCallback as the controller
+ * action results in an exception.
+ *
+ * @return void
+ */
+ public function testExceptionWhenActionIsBlackholeCallback() {
+ $this->Controller->request->addParams(array(
+ 'controller' => 'posts',
+ 'action' => 'fail'
+ ));
+ $this->assertFalse($this->Controller->failed);
+ $this->Controller->Security->startup($this->Controller);
+ $this->assertTrue($this->Controller->failed, 'Request was blackholed.');
+ }
+
+/**
* test that initialize can set properties.
*
* @return void

0 comments on commit 1117ad2

Please sign in to comment.