Skip to content
Permalink
Browse files

The _lastAction property should not double include the base path.

FormHelper should not run URLs through Router twice when determining the
the form's lastAction attribute. However, because we're using the helper
method (see #9414) we do need to HTML decode the URL before using it in
form token generation.

Refs #9455
  • Loading branch information...
markstory committed Sep 14, 2016
1 parent 925a45b commit 4f70bdb3b8ccab3d0194c6ff9d71cfe251ae8003
Showing with 11 additions and 4 deletions.
  1. +9 −2 lib/Cake/Test/Case/View/Helper/FormHelperTest.php
  2. +2 −2 lib/Cake/View/Helper/FormHelper.php
@@ -539,6 +539,7 @@ public function setUp() {
$this->Form->request['action'] = 'add';
$this->Form->request->webroot = '';
$this->Form->request->base = '';
Router::setRequestInfo($this->Form->request);
ClassRegistry::addObject('Contact', new Contact());
ClassRegistry::addObject('ContactNonStandardPk', new ContactNonStandardPk());
@@ -8191,12 +8192,14 @@ public function testPostLinkSecurityHash() {
*/
public function testPostLinkSecurityHashInline() {
$hash = Security::hash(
'/posts/delete/1' .
'/basedir/posts/delete/1' .
serialize(array()) .
'' .
Configure::read('Security.salt')
);
$hash .= '%3A';
$this->Form->request->base = '/basedir';
$this->Form->request->webroot = '/basedir/';
$this->Form->request->params['_Token']['key'] = 'test';
$this->Form->create('Post', array('url' => array('action' => 'add')));
@@ -8206,7 +8209,11 @@ public function testPostLinkSecurityHashInline() {
$this->assertEquals(array('Post.title'), $this->Form->fields);
$this->assertContains($hash, $result, 'Should contain the correct hash.');
$this->assertAttributeEquals('/posts/add', '_lastAction', $this->Form, 'lastAction was should be restored.');
$this->assertAttributeEquals(
'/basedir/posts/add',
'_lastAction',
$this->Form,
'lastAction was should be restored.');
}
/**
@@ -1888,7 +1888,7 @@ public function postLink($title, $url = null, $options = array(), $confirmMessag
}
$previousLastAction = $this->_lastAction;
$this->_lastAction($formUrl);
$this->_lastAction($url);
$out = $this->Html->useTag('form', $formUrl, $formOptions);
$out .= $this->Html->useTag('hidden', '_method', array(
@@ -3105,7 +3105,7 @@ protected function _secureFieldName($options) {
* @return void
*/
protected function _lastAction($url) {
$action = Router::url($url, true);
$action = html_entity_decode($this->url($url), ENT_QUOTES);
$query = parse_url($action, PHP_URL_QUERY);
$query = $query ? '?' . $query : '';
$this->_lastAction = parse_url($action, PHP_URL_PATH) . $query;

0 comments on commit 4f70bdb

Please sign in to comment.
You can’t perform that action at this time.