Home Explore Help
Sign In
githab
/
cakephp
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge pull request #3888 from Schlaefer/fix-#3887-reusableCsrfExpires

fixes #3887 CSRF reusable token expires
Mark Story 11 years ago
parent
396725dc8c 1e961a8aac
commit
1aa7331b0d
2 changed files with 21 additions and 3 deletions
Split View Show Diff Stats
  1. 3 1
      lib/Cake/Controller/Component/SecurityComponent.php
  2. 18 2
      lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php

+ 3 - 1
lib/Cake/Controller/Component/SecurityComponent.php
View File 

@@ -554,7 +554,9 @@ class SecurityComponent extends Component {
 
 		}
 
 		if (!$this->csrfUseOnce) {
 
 			$csrfTokens = array_keys($token['csrfTokens']);
 
-			$token['key'] = $csrfTokens[0];
 
+			$authKey = $csrfTokens[0];
 
+			$token['key'] = $authKey;
 
+			$token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
 
 		}
 
 		$this->Session->write('_Token', $token);
 
 		$request->params['_Token'] = array(

+ 18 - 2
lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php
View File 

@@ -1214,8 +1214,7 @@ class SecurityComponentTest extends CakeTestCase {
 
 		$token = $this->Security->Session->read('_Token');
 
 		$this->assertEquals(2, count($token['csrfTokens']), 'Missing the csrf token.');
 
 		foreach ($token['csrfTokens'] as $expires) {
 
-			$diff = $csrfExpires - $expires;
 
-			$this->assertTrue($diff === 0 || $diff === 1, 'Token expiry does not match');
 
+			$this->assertWithinMargin($expires, $csrfExpires, 2, 'Token expiry does not match');
 
 		}
 
 	}
 
 
@@ -1251,6 +1250,23 @@ class SecurityComponentTest extends CakeTestCase {
 
 	}
 
 
 /**
 
+ * tests that reusable CSRF-token expiry is renewed
 
+ */
 
+	public function testCsrfReusableTokenRenewal() {
 
+		$this->Security->validatePost = false;
 
+		$this->Security->csrfCheck = true;
 
+		$this->Security->csrfUseOnce = false;
 
+		$csrfExpires = '+10 minutes';
 
+		$this->Security->csrfExpires = $csrfExpires;
 
+
 
+		$this->Security->Session->write('_Token.csrfTokens', array('token' => strtotime('+1 minutes')));
 
+
 
+		$this->Security->startup($this->Controller);
 
+		$tokens = $this->Security->Session->read('_Token.csrfTokens');
 
+		$this->assertWithinMargin($tokens['token'], strtotime($csrfExpires), 2, 'Token expiry was not renewed');
 
+	}
 
+
 
+/**
 
  * test that expired values in the csrfTokens are cleaned up.
 
  *
 
  * @return void