Merge branch '4.x' into 4.next

.github/workflows/stale.yml

@@ -19,5 +19,5 @@ jobs:
         stale-pr-label: 'stale'
         days-before-stale: 120
         days-before-close: 15
-        exempt-issue-label: 'pinned'
-        exempt-pr-label: 'pinned'
+        exempt-issue-labels: 'pinned'
+        exempt-pr-labels: 'pinned'

src/Http/Middleware/CsrfProtectionMiddleware.php

@@ -342,7 +342,7 @@ class CsrfProtectionMiddleware implements MiddlewareInterface
         } else {
             $decoded = base64_decode($token, true);
         }
-        if (strlen($decoded) <= static::TOKEN_VALUE_LENGTH) {
+        if (!$decoded || strlen($decoded) <= static::TOKEN_VALUE_LENGTH) {
             return false;
         }
 

tests/TestCase/Http/Middleware/CsrfProtectionMiddlewareTest.php

@@ -396,6 +396,26 @@ class CsrfProtectionMiddlewareTest extends TestCase
     }
 
     /**
+     * Test that empty value cookies are rejected
+     *
+     * @return void
+     */
+    public function testInvalidTokenEmptyStringCookies()
+    {
+        $this->expectException(InvalidCsrfTokenException::class);
+        $request = new ServerRequest([
+            'environment' => [
+                'REQUEST_METHOD' => 'POST',
+            ],
+            'post' => ['_csrfToken' => '*(&'],
+            // Invalid data that can't be base64 decoded.
+            'cookies' => ['csrfToken' => '*(&'],
+        ]);
+        $middleware = new CsrfProtectionMiddleware();
+        $middleware->process($request, $this->_getRequestHandler());
+    }
+
+    /**
      * Test that request non string cookies are ignored.
      */
     public function testInvalidTokenNonStringCookies(): void

tests/test_app/TestApp/Model/Table/FeaturedTagsTable.php

@@ -22,6 +22,8 @@ use Cake\ORM\TableRegistry;
  */
 class FeaturedTagsTable extends Table
 {
+    protected $Posts;
+
     public function initialize(array $config): void
     {
         // Used to reproduce https://github.com/cakephp/cakephp/issues/16373