Fixing issue where changing the case for an action in the url would a…

…llow the action in the AuthComponent making it accessible to not-logged in users
cakephp · Nov 28, 2011 · f6534d2 · f6534d2
1 parent 2bffd4c
commit f6534d2
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 3 deletions.
diff --git a/lib/Cake/Controller/Component/AuthComponent.php b/lib/Cake/Controller/Component/AuthComponent.php
@@ -268,8 +268,8 @@ public function startup($controller) {
 			return true;
 		}
 
-		$methods = array_flip($controller->methods);
+		$methods = array_flip(array_map('strtolower', $controller->methods));
-		$action = $controller->request->params['action'];
+		$action = strtolower($controller->request->params['action']);
 
 		$isMissingAction = (
 			$controller->scaffold === false &&
@@ -296,7 +296,7 @@ public function startup($controller) {
 		$allowedActions = $this->allowedActions;
 		$isAllowed = (
 			$this->allowedActions == array('*') ||
-			in_array($action, $allowedActions)
+			in_array($action, array_map('strtolower', $allowedActions))
 		);
 
 		if ($loginAction != $url && $isAllowed) {

diff --git a/lib/Cake/Test/Case/Controller/Component/AuthComponentTest.php b/lib/Cake/Test/Case/Controller/Component/AuthComponentTest.php
@@ -671,6 +671,11 @@ public function testDenyWithCamelCaseMethods() {
 		$this->Controller->request->query['url'] = Router::normalize($url);
 
 		$this->assertFalse($this->Controller->Auth->startup($this->Controller));
+
+		$url = '/auth_test/CamelCase';
+		$this->Controller->request->addParams(Router::parse($url));
+		$this->Controller->request->query['url'] = Router::normalize($url);
+		$this->assertFalse($this->Controller->Auth->startup($this->Controller));
 	}
 
 /**