Permalink
Browse files

Removing Session deletion of nonce token on blackhole. Fixes possible…

… CSRF risk from multiple submissions of the same invalid data. Refs #214
  • Loading branch information...
markstory committed Jan 26, 2010
1 parent c195d65 commit fc304056a31088069157f2d28ac480c02e4b1d9f
@@ -381,8 +381,6 @@ function generateDigestResponseHash($data) {
* @see SecurityComponent::$blackHoleCallback
*/
function blackHole(&$controller, $error = '') {
- $this->Session->del('_Token');
-
if ($this->blackHoleCallback == null) {
$code = 404;
if ($error == 'login') {
@@ -237,16 +237,16 @@ function testRequireAuthFail() {
$this->Controller->Security->startup($this->Controller);
$this->assertTrue($this->Controller->failed);
- $this->Controller->Session->write('_Token', array('allowedControllers' => array()));
+ $this->Controller->Session->write('_Token', serialize(array('allowedControllers' => array())));
$this->Controller->data = array('username' => 'willy', 'password' => 'somePass');
$this->Controller->action = 'posted';
$this->Controller->Security->requireAuth('posted');
$this->Controller->Security->startup($this->Controller);
$this->assertTrue($this->Controller->failed);
- $this->Controller->Session->write('_Token', array(
+ $this->Controller->Session->write('_Token', serialize(array(
'allowedControllers' => array('SecurityTest'), 'allowedActions' => array('posted2')
- ));
+ )));
$this->Controller->data = array('username' => 'willy', 'password' => 'somePass');
$this->Controller->action = 'posted';
$this->Controller->Security->requireAuth('posted');
@@ -1145,5 +1145,19 @@ function testSettingTokenForRequestAction() {
$this->Controller->Security->startup($this->Controller);
$this->assertEqual($this->Controller->params['_Token']['key'], $key);
}
+
+/**
+ * test that blackhole doesn't delete the _Token session key so repeat data submissions
+ * stay blackholed.
+ *
+ * @link http://cakephp.lighthouseapp.com/projects/42648/tickets/214
+ * @return void
+ */
+ function testBlackHoleNotDeletingSessionInformation() {
+ $this->Controller->Security->startup($this->Controller);
+
+ $this->Controller->Security->blackHole($this->Controller, 'auth');
+ $this->assertTrue($this->Controller->Security->Session->check('_Token'), '_Token was deleted by blackHole %s');
+ }
}
?>

0 comments on commit fc30405

Please sign in to comment.