From 79bee59cc8b156ac9fb15675032ba2666053cdae Mon Sep 17 00:00:00 2001
From: Schlaefer <openmail+sourcecode@siezi.com>
Date: Mon, 22 Jun 2015 14:05:00 +0200
Subject: [PATCH] convert numeric to string on hash creation in
 FormHelper::secure()

Security hash may contain serialized form data values. Form values in
request are send as strings. For security check to pass numeric values
must be converted to string on form creation. Otherwise the serialized-
output differs and the security-check on the incoming request fails.
---
 src/View/Helper/FormHelper.php                |  3 +++
 tests/TestCase/View/Helper/FormHelperTest.php | 11 ++++++++---
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/View/Helper/FormHelper.php b/src/View/Helper/FormHelper.php
index daddb08e047..65c92340dce 100644
--- a/src/View/Helper/FormHelper.php
+++ b/src/View/Helper/FormHelper.php
@@ -558,6 +558,9 @@ public function secure(array $fields = [], array $secureAttributes = [])
 
         foreach ($fields as $key => $value) {
             if (!is_int($key)) {
+                if (is_numeric($value)) {
+                    $value = (string)$value;
+                }
                 $locked[$key] = $value;
                 unset($fields[$key]);
             }
diff --git a/tests/TestCase/View/Helper/FormHelperTest.php b/tests/TestCase/View/Helper/FormHelperTest.php
index 01599d8fbde..8a9ea20775e 100644
--- a/tests/TestCase/View/Helper/FormHelperTest.php
+++ b/tests/TestCase/View/Helper/FormHelperTest.php
@@ -6443,20 +6443,25 @@ public function testPostLinkSecurityHash()
     {
         $hash = Security::hash(
             '/posts/delete/1' .
-            serialize([]) .
+            serialize(['id' => '1']) .
             '' .
             Security::salt()
         );
-        $hash .= '%3A';
+        $hash .= '%3Aid';
         $this->Form->request->params['_Token']['key'] = 'test';
 
-        $result = $this->Form->postLink('Delete', '/posts/delete/1');
+        $result = $this->Form->postLink(
+            'Delete',
+            '/posts/delete/1',
+            ['data' => ['id' => 1]]
+        );
         $expected = [
             'form' => [
                 'method' => 'post', 'action' => '/posts/delete/1',
                 'name', 'style' => 'display:none;'
             ],
             ['input' => ['type' => 'hidden', 'name' => '_method', 'value' => 'POST']],
+            ['input' => ['type' => 'hidden', 'name' => 'id', 'value' => '1']],
             'div' => ['style' => 'display:none;'],
             ['input' => ['type' => 'hidden', 'name' => '_Token[fields]', 'value' => $hash]],
             ['input' => ['type' => 'hidden', 'name' => '_Token[unlocked]', 'value' => '']],