From 490033ee769e99d95b8ca0023e54e7b93abbd8cd Mon Sep 17 00:00:00 2001
From: Markus Bauer <markus.bauer@cispa.saarland>
Date: Sun, 21 Jul 2024 18:53:04 +0200
Subject: [PATCH 1/2] Backported patch, fixing potential CSRF circumvention
 with custom HTTP methods.

Upstream: https://github.com/cakephp/cakephp/commit/0f818a23a876c01429196bf7623e1e94a50230f0
---
 lib/Cake/Controller/Component/SecurityComponent.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/Cake/Controller/Component/SecurityComponent.php b/lib/Cake/Controller/Component/SecurityComponent.php
index 308f27c738..9b3134e470 100644
--- a/lib/Cake/Controller/Component/SecurityComponent.php
+++ b/lib/Cake/Controller/Component/SecurityComponent.php
@@ -227,7 +227,7 @@ class SecurityComponent extends Component {
 	public function startup(Controller $controller) {
 		$this->request = $controller->request;
 		$this->_action = $controller->request->params['action'];
-		$hasData = ($controller->request->data || $controller->request->is(array('put', 'post', 'delete', 'patch')));
+		$hasData = ($controller->request->data || !$controller->request->is(['head', 'get', 'options']));
 		try {
 			$this->_methodsRequired($controller);
 			$this->_secureRequired($controller);

From d35fa72f4eb941158bae6cdecc5011c15956ed7b Mon Sep 17 00:00:00 2001
From: Markus Bauer <markus.bauer@cispa.saarland>
Date: Mon, 22 Jul 2024 18:16:11 +0200
Subject: [PATCH 2/2] Fix unit tests for SecurityComponent

---
 .../Test/Case/Controller/Component/SecurityComponentTest.php   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php b/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php
index 0fba140b28..e49e65c0a1 100644
--- a/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php
+++ b/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php
@@ -162,6 +162,7 @@ class SecurityComponentTest extends CakeTestCase {
  */
 	public function setUp() : void {
 		parent::setUp();
+		$_SERVER['REQUEST_METHOD'] = 'GET';
 
 		$request = $this->getMock('CakeRequest', array('here'), array('posts/index', false));
 		$request->addParams(array('controller' => 'posts', 'action' => 'index'));
@@ -321,7 +322,7 @@ public function testRequireSecureFail() {
  * @return void
  */
 	public function testRequireSecureSucceed() {
-		$_SERVER['REQUEST_METHOD'] = 'Secure';
+		$_SERVER['REQUEST_METHOD'] = 'GET';
 		$this->Controller->request['action'] = 'posted';
 		$_SERVER['HTTPS'] = 'on';
 		$this->Controller->Security->requireSecure('posted');