From dc6b33f80ed9cb290905c281e40af4babf418309 Mon Sep 17 00:00:00 2001 From: mark_story Date: Thu, 30 Sep 2010 00:26:44 -0400 Subject: [PATCH] Making tokens persist across 'requests'. Removing more serialize/unserialize calls. --- cake/libs/controller/components/security.php | 8 ++++-- .../controller/components/security.test.php | 27 ++++++++++++++----- 2 files changed, 26 insertions(+), 9 deletions(-) diff --git a/cake/libs/controller/components/security.php b/cake/libs/controller/components/security.php index 84c010fa669..b1b14bc8f13 100644 --- a/cake/libs/controller/components/security.php +++ b/cake/libs/controller/components/security.php @@ -516,7 +516,7 @@ protected function _authRequired(&$controller) { } if ($this->Session->check('_Token')) { - $tData = unserialize($this->Session->read('_Token')); + $tData = $this->Session->read('_Token'); if (!empty($tData['allowedControllers']) && !in_array($this->request->params['controller'], $tData['allowedControllers']) || !empty($tData['allowedActions']) && !in_array($this->request->params['action'], $tData['allowedActions'])) { if (!$this->blackHole($controller, 'auth')) { @@ -681,7 +681,8 @@ protected function _generateToken(&$controller) { 'expires' => $expires, 'allowedControllers' => $this->allowedControllers, 'allowedActions' => $this->allowedActions, - 'disabledFields' => $this->disabledFields + 'disabledFields' => $this->disabledFields, + 'csrfTokens' => array() ); if ($this->csrfCheck) { @@ -699,6 +700,9 @@ protected function _generateToken(&$controller) { if ($valid) { $token['key'] = $tokenData['key']; } + if (!empty($tokenData['csrfTokens'])) { + $token['csrfTokens'] += $tokenData['csrfTokens']; + } } $controller->request->params['_Token'] = $token; $this->Session->write('_Token', $token); diff --git a/cake/tests/cases/libs/controller/components/security.test.php b/cake/tests/cases/libs/controller/components/security.test.php index c4220fe8edd..1a0a0386d24 100644 --- a/cake/tests/cases/libs/controller/components/security.test.php +++ b/cake/tests/cases/libs/controller/components/security.test.php @@ -281,16 +281,16 @@ function testRequireAuthFail() { $this->Controller->Security->startup($this->Controller); $this->assertTrue($this->Controller->failed); - $this->Controller->Session->write('_Token', serialize(array('allowedControllers' => array()))); + $this->Controller->Session->write('_Token', array('allowedControllers' => array())); $this->Controller->request->data = array('username' => 'willy', 'password' => 'somePass'); $this->Controller->request['action'] = 'posted'; $this->Controller->Security->requireAuth('posted'); $this->Controller->Security->startup($this->Controller); $this->assertTrue($this->Controller->failed); - $this->Controller->Session->write('_Token', serialize(array( + $this->Controller->Session->write('_Token', array( 'allowedControllers' => array('SecurityTest'), 'allowedActions' => array('posted2') - ))); + )); $this->Controller->request->data = array('username' => 'willy', 'password' => 'somePass'); $this->Controller->request['action'] = 'posted'; $this->Controller->Security->requireAuth('posted'); @@ -311,9 +311,9 @@ function testRequireAuthSucceed() { $this->Controller->Security->startup($this->Controller); $this->assertFalse($this->Controller->failed); - $this->Controller->Security->Session->write('_Token', serialize(array( + $this->Controller->Security->Session->write('_Token', array( 'allowedControllers' => array('SecurityTest'), 'allowedActions' => array('posted') - ))); + )); $this->Controller->request['controller'] = 'SecurityTest'; $this->Controller->request['action'] = 'posted'; @@ -1240,10 +1240,23 @@ function testCsrfSettings() { $this->Security->csrfCheck = true; $this->Security->csrfExpires = '+10 minutes'; $this->Security->startup($this->Controller); - + $token = $this->Security->Session->read('_Token'); $this->assertEquals(count($token['csrfTokens']), 1, 'Missing the csrf token.'); $this->assertEquals(strtotime('+10 minutes'), current($token['csrfTokens']), 'Token expiry does not match'); - + } + + function testCsrfSettingMultipleNonces() { + $this->Security->validatePost = false; + $this->Security->csrfCheck = true; + $this->Security->csrfExpires = '+10 minutes'; + $this->Security->startup($this->Controller); + $this->Security->startup($this->Controller); + + $token = $this->Security->Session->read('_Token'); + $this->assertEquals(count($token['csrfTokens']), 2, 'Missing the csrf token.'); + foreach ($token['csrfTokens'] as $key => $expires) { + $this->assertEquals(strtotime('+10 minutes'), $expires, 'Token expiry does not match'); + } } }