Skip to content
Permalink
Browse files

convert numeric to string on hash creation in FormHelper::secure()

Security hash may contain serialized form data values. Form values in
request are send as strings. For security check to pass numeric values
must be converted to string on form creation. Otherwise the serialized-
output differs and the security-check on the incoming request fails.
  • Loading branch information...
Schlaefer committed Jun 22, 2015
1 parent 1422d39 commit 79bee59cc8b156ac9fb15675032ba2666053cdae
Showing with 11 additions and 3 deletions.
  1. +3 −0 src/View/Helper/FormHelper.php
  2. +8 −3 tests/TestCase/View/Helper/FormHelperTest.php
@@ -558,6 +558,9 @@ public function secure(array $fields = [], array $secureAttributes = [])
foreach ($fields as $key => $value) {
if (!is_int($key)) {
if (is_numeric($value)) {
$value = (string)$value;
}
$locked[$key] = $value;
unset($fields[$key]);
}
@@ -6443,20 +6443,25 @@ public function testPostLinkSecurityHash()
{
$hash = Security::hash(
'/posts/delete/1' .
serialize([]) .
serialize(['id' => '1']) .
'' .
Security::salt()
);
$hash .= '%3A';
$hash .= '%3Aid';
$this->Form->request->params['_Token']['key'] = 'test';
$result = $this->Form->postLink('Delete', '/posts/delete/1');
$result = $this->Form->postLink(
'Delete',
'/posts/delete/1',
['data' => ['id' => 1]]
);
$expected = [
'form' => [
'method' => 'post', 'action' => '/posts/delete/1',
'name', 'style' => 'display:none;'
],
['input' => ['type' => 'hidden', 'name' => '_method', 'value' => 'POST']],
['input' => ['type' => 'hidden', 'name' => 'id', 'value' => '1']],
'div' => ['style' => 'display:none;'],
['input' => ['type' => 'hidden', 'name' => '_Token[fields]', 'value' => $hash]],
['input' => ['type' => 'hidden', 'name' => '_Token[unlocked]', 'value' => '']],

0 comments on commit 79bee59

Please sign in to comment.
You can’t perform that action at this time.