From 5116f53146c979298e8e011ecb5bdd869a659309 Mon Sep 17 00:00:00 2001 From: MGatner Date: Thu, 21 Mar 2019 10:22:39 -0400 Subject: [PATCH 1/3] Prevent routable access to initController method --- system/Config/Routes.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/system/Config/Routes.php b/system/Config/Routes.php index 8bf7b765a684..9760aab44c61 100644 --- a/system/Config/Routes.php +++ b/system/Config/Routes.php @@ -51,3 +51,9 @@ // CLI Catchall - uses a _remap to $routes->cli('ci(:any)', '\CodeIgniter\CLI\CommandRunner::index/$1'); + +// Prevent access to initController method +$routes->add('(:any)/initController', function() +{ + throw \CodeIgniter\Exceptions\PageNotFoundException::forPageNotFound(); +}); From 4bc261e15f6ebe04862b5035557c1810fc4735c0 Mon Sep 17 00:00:00 2001 From: MGatner Date: Thu, 21 Mar 2019 10:23:45 -0400 Subject: [PATCH 2/3] Make internal methods unroutable via protected --- system/Controller.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/system/Controller.php b/system/Controller.php index e5d03656d64d..57716f764cb0 100644 --- a/system/Controller.php +++ b/system/Controller.php @@ -138,7 +138,7 @@ public function initController(RequestInterface $request, ResponseInterface $res * * @throws \CodeIgniter\HTTP\Exceptions\HTTPException */ - public function forceHTTPS(int $duration = 31536000) + protected function forceHTTPS(int $duration = 31536000) { force_https($duration, $this->request, $this->response); } @@ -151,7 +151,7 @@ public function forceHTTPS(int $duration = 31536000) * * @param integer $time */ - public function cachePage(int $time) + protected function cachePage(int $time) { CodeIgniter::cache($time); } @@ -185,7 +185,7 @@ protected function loadHelpers() * * @return boolean */ - public function validate($rules, array $messages = []): bool + protected function validate($rules, array $messages = []): bool { $this->validator = Services::validation(); From a56bfdf80c2d87f4ff35e31c6d833e0ea72ddd90 Mon Sep 17 00:00:00 2001 From: MGatner Date: Mon, 25 Mar 2019 10:00:15 -0400 Subject: [PATCH 3/3] Use getPrivateMethodInvoker() for protected Controller methods --- tests/system/ControllerTest.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/system/ControllerTest.php b/tests/system/ControllerTest.php index 003b19167700..23a5fea15722 100644 --- a/tests/system/ControllerTest.php +++ b/tests/system/ControllerTest.php @@ -87,7 +87,8 @@ public function testCachePage() $this->controller = new Controller(); $this->controller->initController($this->request, $this->response, $this->logger); - $this->assertNull($this->controller->cachePage(10)); + $method = $this->getPrivateMethodInvoker($this->controller, 'cachePage'); + $this->assertNull($method(10)); } public function testValidate() @@ -97,7 +98,8 @@ public function testValidate() $this->controller->initController($this->request, $this->response, $this->logger); // and that we can attempt validation, with no rules - $this->assertFalse($this->controller->validate([])); + $method = $this->getPrivateMethodInvoker($this->controller, 'validate'); + $this->assertFalse($method([])); } //--------------------------------------------------------------------