Disallow controller names with / in them.

Controller names should not be allowed to have / in them. Internally we convert / into \\ which allows arbitrary namespace creation through what should be controlled parameters. While the default routing normally prevents / getting into a controller name, we cannot make the same assumptions with PSR7 middleware.
cakephp · Apr 16, 2016 · 50dcf3b · 50dcf3b
1 parent 389415f
commit 50dcf3b
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 4 deletions.
diff --git a/src/Http/ControllerFactory.php b/src/Http/ControllerFactory.php
@@ -55,16 +55,19 @@ public function create(Request $request, Response $response)
             }
         }
         $firstChar = substr($controller, 0, 1);
+
+        // Disallow plugin short forms, / and \\ from
+        // controller names as they allow direct references to
+        // be created.
         if (strpos($controller, '\\') !== false ||
+            strpos($controller, '/') !== false ||
             strpos($controller, '.') !== false ||
             $firstChar === strtolower($firstChar)
         ) {
             return $this->missingController($request);
         }
-        $className = false;
-        if ($pluginPath . $controller) {
-            $className = App::classname($pluginPath . $controller, $namespace, 'Controller');
-        }
+
+        $className = App::classname($pluginPath . $controller, $namespace, 'Controller');
         if (!$className) {
             return $this->missingController($request);
         }

diff --git a/tests/TestCase/Http/ControllerFactoryTest.php b/tests/TestCase/Http/ControllerFactoryTest.php
@@ -230,6 +230,23 @@ public function testMissingClassFailure()
         $this->factory->create($request, $this->response);
     }
 
+    /**
+     * @expectedException \Cake\Routing\Exception\MissingControllerException
+     * @expectedExceptionMessage Controller class Admin/Posts could not be found.
+     * @return void
+     */
+    public function testSlashedControllerFailure()
+    {
+        $request = new Request([
+            'url' => 'admin/posts/index',
+            'params' => [
+                'controller' => 'Admin/Posts',
+                'action' => 'index',
+            ]
+        ]);
+        $this->factory->create($request, $this->response);
+    }
+
     /**
      * @expectedException \Cake\Routing\Exception\MissingControllerException
      * @expectedExceptionMessage Controller class TestApp\Controller\CakesController could not be found.