From c0fb45e79e17734b8db0245e06e83eca815b25ae Mon Sep 17 00:00:00 2001 From: Markus Bauer Date: Wed, 24 Jul 2024 18:13:57 +0200 Subject: [PATCH] Fix potential CSRF circumvention with custom HTTP methods (#76) * Backported patch, fixing potential CSRF circumvention with custom HTTP methods. Upstream: https://github.com/cakephp/cakephp/commit/0f818a23a876c01429196bf7623e1e94a50230f0 * Fix unit tests for SecurityComponent --------- Co-authored-by: Markus Bauer --- lib/Cake/Controller/Component/SecurityComponent.php | 2 +- .../Test/Case/Controller/Component/SecurityComponentTest.php | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/Cake/Controller/Component/SecurityComponent.php b/lib/Cake/Controller/Component/SecurityComponent.php index 308f27c738..9b3134e470 100644 --- a/lib/Cake/Controller/Component/SecurityComponent.php +++ b/lib/Cake/Controller/Component/SecurityComponent.php @@ -227,7 +227,7 @@ class SecurityComponent extends Component { public function startup(Controller $controller) { $this->request = $controller->request; $this->_action = $controller->request->params['action']; - $hasData = ($controller->request->data || $controller->request->is(array('put', 'post', 'delete', 'patch'))); + $hasData = ($controller->request->data || !$controller->request->is(['head', 'get', 'options'])); try { $this->_methodsRequired($controller); $this->_secureRequired($controller); diff --git a/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php b/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php index 0fba140b28..e49e65c0a1 100644 --- a/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php +++ b/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php @@ -162,6 +162,7 @@ class SecurityComponentTest extends CakeTestCase { */ public function setUp() : void { parent::setUp(); + $_SERVER['REQUEST_METHOD'] = 'GET'; $request = $this->getMock('CakeRequest', array('here'), array('posts/index', false)); $request->addParams(array('controller' => 'posts', 'action' => 'index')); @@ -321,7 +322,7 @@ public function testRequireSecureFail() { * @return void */ public function testRequireSecureSucceed() { - $_SERVER['REQUEST_METHOD'] = 'Secure'; + $_SERVER['REQUEST_METHOD'] = 'GET'; $this->Controller->request['action'] = 'posted'; $_SERVER['HTTPS'] = 'on'; $this->Controller->Security->requireSecure('posted');