From dfe77997960f69a82161bce7e97c7984a86da57f Mon Sep 17 00:00:00 2001 From: librasoft Date: Tue, 9 Sep 2014 15:50:23 +0200 Subject: [PATCH] Make use of Security::salt() instead of Configure::read('Security.salt'); --- src/Controller/Component/CookieComponent.php | 2 +- src/Controller/Component/SecurityComponent.php | 2 +- src/Error/Debugger.php | 3 ++- src/View/Helper/FormHelper.php | 2 +- tests/TestCase/Auth/FormAuthenticateTest.php | 2 +- tests/TestCase/Auth/WeakPasswordHasherTest.php | 3 ++- .../Controller/Component/AuthComponentTest.php | 2 +- .../Controller/Component/SecurityComponentTest.php | 10 +++++----- tests/TestCase/View/Helper/FormHelperTest.php | 6 +++--- 9 files changed, 17 insertions(+), 15 deletions(-) mode change 100755 => 100644 tests/TestCase/View/Helper/FormHelperTest.php diff --git a/src/Controller/Component/CookieComponent.php b/src/Controller/Component/CookieComponent.php index bb9ac5da1e9..35284f859d6 100644 --- a/src/Controller/Component/CookieComponent.php +++ b/src/Controller/Component/CookieComponent.php @@ -130,7 +130,7 @@ public function __construct(ComponentRegistry $collection, array $config = array parent::__construct($collection, $config); if (!$this->_config['key']) { - $this->config('key', Configure::read('Security.salt')); + $this->config('key', Security::salt()); } $controller = $collection->getController(); diff --git a/src/Controller/Component/SecurityComponent.php b/src/Controller/Component/SecurityComponent.php index ed7bdca0b36..b24986fed18 100644 --- a/src/Controller/Component/SecurityComponent.php +++ b/src/Controller/Component/SecurityComponent.php @@ -345,7 +345,7 @@ protected function _validatePost(Controller $controller) { $controller->request->here(), serialize($fieldList), $unlocked, - Configure::read('Security.salt') + Security::salt() ); $check = Security::hash(implode('', $hashParts), 'sha1'); return ($token === $check); diff --git a/src/Error/Debugger.php b/src/Error/Debugger.php index 227cfb5a173..b5f68f4c7da 100644 --- a/src/Error/Debugger.php +++ b/src/Error/Debugger.php @@ -17,6 +17,7 @@ use Cake\Core\Configure; use Cake\Log\Log; use Cake\Utility\Hash; +use Cake\Utility\Security; use Cake\Utility\String; use Exception; use InvalidArgumentException; @@ -838,7 +839,7 @@ public static function getType($var) { * @return void */ public static function checkSecurityKeys() { - if (Configure::read('Security.salt') === '__SALT__') { + if (Security::salt() === '__SALT__') { trigger_error(sprintf('Please change the value of %s in %s to a salt value specific to your application.', '\'Security.salt\'', 'ROOT/config/app.php'), E_USER_NOTICE); } } diff --git a/src/View/Helper/FormHelper.php b/src/View/Helper/FormHelper.php index f757a8913fd..89841dde121 100644 --- a/src/View/Helper/FormHelper.php +++ b/src/View/Helper/FormHelper.php @@ -497,7 +497,7 @@ public function secure(array $fields = array(), array $secureAttributes = array( $this->_lastAction, serialize($fields), $unlocked, - Configure::read('Security.salt') + Security::salt() ); $fields = Security::hash(implode('', $hashParts), 'sha1'); diff --git a/tests/TestCase/Auth/FormAuthenticateTest.php b/tests/TestCase/Auth/FormAuthenticateTest.php index 6bd16bcc620..adf285e7296 100644 --- a/tests/TestCase/Auth/FormAuthenticateTest.php +++ b/tests/TestCase/Auth/FormAuthenticateTest.php @@ -232,7 +232,7 @@ public function testPluginModel() { $PluginModel = TableRegistry::get('TestPlugin.AuthUsers'); $user['id'] = 1; $user['username'] = 'gwoo'; - $user['password'] = password_hash(Configure::read('Security.salt') . 'cake', PASSWORD_BCRYPT); + $user['password'] = password_hash(Security::salt() . 'cake', PASSWORD_BCRYPT); $PluginModel->save(new Entity($user)); $this->auth->config('userModel', 'TestPlugin.AuthUsers'); diff --git a/tests/TestCase/Auth/WeakPasswordHasherTest.php b/tests/TestCase/Auth/WeakPasswordHasherTest.php index a83eb725601..06595d96739 100644 --- a/tests/TestCase/Auth/WeakPasswordHasherTest.php +++ b/tests/TestCase/Auth/WeakPasswordHasherTest.php @@ -17,6 +17,7 @@ use Cake\Auth\WeakPasswordHasher; use Cake\Core\Configure; use Cake\TestSuite\TestCase; +use Cake\Utility\Security; /** * Test case for WeakPasswordHasher @@ -32,7 +33,7 @@ class WeakPasswordHasherTest extends TestCase { public function setUp() { parent::setUp(); - Configure::write('Security.salt', 'YJfIxfs2guVoUubWDYhG93b0qyJfIxfs2guwvniR2G0FgaC9mi'); + Security::salt('YJfIxfs2guVoUubWDYhG93b0qyJfIxfs2guwvniR2G0FgaC9mi'); } /** diff --git a/tests/TestCase/Controller/Component/AuthComponentTest.php b/tests/TestCase/Controller/Component/AuthComponentTest.php index 0004364d378..40db7ef7542 100644 --- a/tests/TestCase/Controller/Component/AuthComponentTest.php +++ b/tests/TestCase/Controller/Component/AuthComponentTest.php @@ -61,7 +61,7 @@ class AuthComponentTest extends TestCase { public function setUp() { parent::setUp(); - Configure::write('Security.salt', 'YJfIxfs2guVoUubWDYhG93b0qyJfIxfs2guwvniR2G0FgaC9mi'); + Security::salt('YJfIxfs2guVoUubWDYhG93b0qyJfIxfs2guwvniR2G0FgaC9mi'); Configure::write('App.namespace', 'TestApp'); Router::scope('/', function($routes) { diff --git a/tests/TestCase/Controller/Component/SecurityComponentTest.php b/tests/TestCase/Controller/Component/SecurityComponentTest.php index 15b3658f1cc..6ab6384bbe9 100644 --- a/tests/TestCase/Controller/Component/SecurityComponentTest.php +++ b/tests/TestCase/Controller/Component/SecurityComponentTest.php @@ -146,7 +146,7 @@ public function setUp() { $this->Controller->Security->config('blackHoleCallback', 'fail'); $this->Security = $this->Controller->Security; $this->Security->session = $session; - Configure::write('Security.salt', 'foo!'); + Security::salt('foo!'); } /** @@ -659,7 +659,7 @@ public function testValidatePostDisabledFieldsInData() { $this->Controller->Security->startup($event); $unlocked = 'Model.username'; $fields = array('Model.hidden', 'Model.password'); - $fields = urlencode(Security::hash('/articles/index' . serialize($fields) . $unlocked . Configure::read('Security.salt'))); + $fields = urlencode(Security::hash('/articles/index' . serialize($fields) . $unlocked . Security::salt())); $this->Controller->request->data = array( 'Model' => array( @@ -683,7 +683,7 @@ public function testValidatePostFailNoDisabled() { $event = new Event('Controller.startup', $this->Controller); $this->Controller->Security->startup($event); $fields = array('Model.hidden', 'Model.password', 'Model.username'); - $fields = urlencode(Security::hash(serialize($fields) . Configure::read('Security.salt'))); + $fields = urlencode(Security::hash(serialize($fields) . Security::salt())); $this->Controller->request->data = array( 'Model' => array( @@ -708,7 +708,7 @@ public function testValidatePostFailDisabledFieldTampering() { $this->Controller->Security->startup($event); $unlocked = 'Model.username'; $fields = array('Model.hidden', 'Model.password'); - $fields = urlencode(Security::hash(serialize($fields) . $unlocked . Configure::read('Security.salt'))); + $fields = urlencode(Security::hash(serialize($fields) . $unlocked . Security::salt())); // Tamper the values. $unlocked = 'Model.username|Model.password'; @@ -829,7 +829,7 @@ public function testValidateNestedNumericSets() { $this->Controller->Security->startup($event); $unlocked = ''; $hashFields = array('TaxonomyData'); - $fields = urlencode(Security::hash('/articles/index' . serialize($hashFields) . $unlocked . Configure::read('Security.salt'))); + $fields = urlencode(Security::hash('/articles/index' . serialize($hashFields) . $unlocked . Security::salt())); $this->Controller->request->data = array( 'TaxonomyData' => array( diff --git a/tests/TestCase/View/Helper/FormHelperTest.php b/tests/TestCase/View/Helper/FormHelperTest.php old mode 100755 new mode 100644 index bad51ece70c..4ef5feb0a22 --- a/tests/TestCase/View/Helper/FormHelperTest.php +++ b/tests/TestCase/View/Helper/FormHelperTest.php @@ -174,7 +174,7 @@ public function setUp() { ] ]; - Configure::write('Security.salt', 'foo!'); + Security::salt('foo!'); Router::connect('/:controller', array('action' => 'index')); Router::connect('/:controller/:action/*'); } @@ -837,7 +837,7 @@ public function testFormSecurityFields() { $this->Form->request->params['_Token'] = 'testKey'; $result = $this->Form->secure($fields); - $hash = Security::hash(serialize($fields) . Configure::read('Security.salt')); + $hash = Security::hash(serialize($fields) . Security::salt()); $hash .= ':' . 'Model.valid'; $hash = urlencode($hash); @@ -5539,7 +5539,7 @@ public function testPostLinkSecurityHash() { '/posts/delete/1' . serialize(array()) . '' . - Configure::read('Security.salt') + Security::salt() ); $hash .= '%3A'; $this->Form->request->params['_Token']['key'] = 'test';