Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
convert numeric to string on hash creation in FormHelper::secure()
Security hash may contain serialized form data values. Form values in
request are send as strings. For security check to pass numeric values
must be converted to string on form creation. Otherwise the serialized-
output differs and the security-check on the incoming request fails.
  • Loading branch information
Schlaefer committed Jun 22, 2015
1 parent 1422d39 commit 79bee59
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 3 deletions.
3 changes: 3 additions & 0 deletions src/View/Helper/FormHelper.php
Expand Up @@ -558,6 +558,9 @@ public function secure(array $fields = [], array $secureAttributes = [])

foreach ($fields as $key => $value) {
if (!is_int($key)) {
if (is_numeric($value)) {
$value = (string)$value;
}
$locked[$key] = $value;
unset($fields[$key]);
}
Expand Down
11 changes: 8 additions & 3 deletions tests/TestCase/View/Helper/FormHelperTest.php
Expand Up @@ -6443,20 +6443,25 @@ public function testPostLinkSecurityHash()
{
$hash = Security::hash(
'/posts/delete/1' .
serialize([]) .
serialize(['id' => '1']) .
'' .
Security::salt()
);
$hash .= '%3A';
$hash .= '%3Aid';
$this->Form->request->params['_Token']['key'] = 'test';

$result = $this->Form->postLink('Delete', '/posts/delete/1');
$result = $this->Form->postLink(
'Delete',
'/posts/delete/1',
['data' => ['id' => 1]]
);
$expected = [
'form' => [
'method' => 'post', 'action' => '/posts/delete/1',
'name', 'style' => 'display:none;'
],
['input' => ['type' => 'hidden', 'name' => '_method', 'value' => 'POST']],
['input' => ['type' => 'hidden', 'name' => 'id', 'value' => '1']],
'div' => ['style' => 'display:none;'],
['input' => ['type' => 'hidden', 'name' => '_Token[fields]', 'value' => $hash]],
['input' => ['type' => 'hidden', 'name' => '_Token[unlocked]', 'value' => '']],
Expand Down

0 comments on commit 79bee59

Please sign in to comment.