Permalink
Browse files

Fixing limit:0 and controller::paginate. Removes possibilty to genera…

…te sql errors by inputting invalid limit options. Tests updated. Refs #264
  • Loading branch information...
1 parent 0327f15 commit 4bbfcbff7e90fab42bef39e01003113dc715a3b0 @markstory markstory committed Nov 6, 2009
Showing with 15 additions and 5 deletions.
  1. +3 −2 cake/libs/controller/controller.php
  2. +12 −3 cake/tests/cases/libs/controller/controller.test.php
@@ -1044,8 +1044,9 @@ function paginate($object = null, $scope = array(), $whitelist = array()) {
$type = $defaults[0];
unset($defaults[0]);
}
-
- extract($options = array_merge(array('page' => 1, 'limit' => 20), $defaults, $options));
+ $options = array_merge(array('page' => 1, 'limit' => 20), $defaults, $options);
+ $options['limit'] = (empty($options['limit']) || !is_numeric($options['limit'])) ? 1 : $options['limit'];
+ extract($options);
if (is_array($scope) && !empty($scope)) {
$conditions = array_merge($conditions, $scope);
@@ -511,13 +511,22 @@ function testPaginate() {
$Controller->paginate('ControllerPost');
$this->assertIdentical($Controller->params['paging']['ControllerPost']['page'], 1, 'XSS exploit opened %s');
$this->assertIdentical($Controller->params['paging']['ControllerPost']['options']['page'], 1, 'XSS exploit opened %s');
-
+
+ $Controller->passedArgs = array();
$Controller->paginate = array('limit' => 0);
$Controller->paginate('ControllerPost');
$this->assertIdentical($Controller->params['paging']['ControllerPost']['page'], 1);
- $this->assertIdentical($Controller->params['paging']['ControllerPost']['pageCount'], 1);
+ $this->assertIdentical($Controller->params['paging']['ControllerPost']['pageCount'], 3);
+ $this->assertIdentical($Controller->params['paging']['ControllerPost']['prevPage'], false);
+ $this->assertIdentical($Controller->params['paging']['ControllerPost']['nextPage'], true);
+
+ $Controller->passedArgs = array();
+ $Controller->paginate = array('limit' => 'garbage!');
+ $Controller->paginate('ControllerPost');
+ $this->assertIdentical($Controller->params['paging']['ControllerPost']['page'], 1);
+ $this->assertIdentical($Controller->params['paging']['ControllerPost']['pageCount'], 3);
$this->assertIdentical($Controller->params['paging']['ControllerPost']['prevPage'], false);
- $this->assertIdentical($Controller->params['paging']['ControllerPost']['nextPage'], false);
+ $this->assertIdentical($Controller->params['paging']['ControllerPost']['nextPage'], true);
}
/**
* testPaginateExtraParams method

0 comments on commit 4bbfcbf

Please sign in to comment.