Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

if blackHoleCallback is set, requests _must_ get blackholed

  • Loading branch information...
commit 22373868bb0e58d7a40da6c8b4c346b1d0830f12 1 parent 86a74e3
@rchavik rchavik authored
View
2  lib/Cake/Controller/Component/SecurityComponent.php
@@ -590,7 +590,7 @@ protected function _callback(Controller $controller, $method, $params = array())
if (is_callable(array($controller, $method))) {
return call_user_func_array(array(&$controller, $method), empty($params) ? null : $params);
} else {
- return null;
+ throw new BadRequestException(__d('cake_dev', 'The request has been black-holed'));
}
}
View
33 lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php
@@ -107,6 +107,20 @@ public function header($status) {
}
+class BrokenCallbackController extends Controller {
+
+ public $name = 'UncallableCallback';
+
+ public $components = array('Session', 'TestSecurity');
+
+ public function index() {
+ }
+
+ protected function _fail() {
+ }
+
+}
+
/**
* SecurityComponentTest class
*
@@ -162,6 +176,25 @@ public function tearDown() {
}
/**
+ * Test that requests are still blackholed when controller has incorrect
+ * visibility keyword in the blackhole callback
+ *
+ * @expectedException BadRequestException
+ */
+ public function testBlackholeWithBrokenCallback() {
+ $request = new CakeRequest('posts/index', false);
+ $request->addParams(array(
+ 'controller' => 'posts', 'action' => 'index')
+ );
+ $this->Controller = new BrokenCallbackController($request);
+ $this->Controller->Components->init($this->Controller);
+ $this->Controller->Security = $this->Controller->TestSecurity;
+ $this->Controller->Security->blackHoleCallback = '_fail';
+ $this->Controller->Security->startup($this->Controller);
+ $this->Controller->Security->blackHole($this->Controller, 'csrf');
+ }
+
+/**
* test that initialize can set properties.
*
* @return void
Please sign in to comment.
Something went wrong with that request. Please try again.