Skip to content
Permalink
Browse files

Fix: Blackholed request when POSTing to a URL with space

Eg:

Actual Posted URL:
    /admin/settings/settings/prefix/Access%20Control
$_GET value:
    /admin/settings/settings/prefix/Access_Control

Since $unsetUrl differs, the $_GET value will get copied in to
CakeRequest::$query, causing CakeRequest::here() to return:

    /admin/settings/settings/prefix/Access%20Control?%2Fadmin%2Fsettings%2Fsettings%2Fprefix%2FAccess_Control=

This confuses SecurityComponent in the following line:

    https://github.com/cakephp/cakephp/blob/f23d811ff59c50ef278e98bb75f4ec1e7e54a5b3/lib/Cake/Controller/Component/SecurityComponent.php#L514
  • Loading branch information...
rchavik committed Jul 24, 2014
1 parent d0a22ad commit aad89444d19a5e74b3a7043a3edf49273175c7eb
Showing with 15 additions and 1 deletion.
  1. +1 −1 lib/Cake/Network/CakeRequest.php
  2. +14 −0 lib/Cake/Test/Case/Network/CakeRequestTest.php
@@ -207,7 +207,7 @@ protected function _processGet() {
$query = $_GET;
}
$unsetUrl = '/' . str_replace('.', '_', urldecode($this->url));
$unsetUrl = '/' . str_replace(array('.', ' '), '_', urldecode($this->url));
unset($query[$unsetUrl]);
unset($query[$this->base . $unsetUrl]);
if (strpos($this->url, '?') !== false) {
@@ -2144,6 +2144,20 @@ public function testHere() {
$this->assertEquals('/posts/base_path/1/name:value?test=value', $result);
}
/**
* Test the here() with space in URL
*
* @return void
*/
public function testHereWithSpaceInUrl() {
Configure::write('App.base', '');
$_GET = array('/admin/settings/settings/prefix/Access_Control' => '');
$request = new CakeRequest('/admin/settings/settings/prefix/Access%20Control');
$result = $request->here();
$this->assertEquals('/admin/settings/settings/prefix/Access%20Control', $result);
}
/**
* Test the input() method.
*

0 comments on commit aad8944

Please sign in to comment.
You can’t perform that action at this time.