Home Explore Help
Sign In
githab
/
cakephp
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Disallow controller names with / in them.

Controller names should not be allowed to have / in them. Internally we
convert / into \\ which allows arbitrary namespace creation through what
should be controlled parameters. While the default routing normally
prevents / getting into a controller name, we cannot make the same
assumptions with PSR7 middleware.
Mark Story 10 years ago
parent
389415f628
commit
50dcf3b52e
2 changed files with 24 additions and 4 deletions
Unified View Show Diff Stats
  1. 7 4
      src/Http/ControllerFactory.php
  2. 17 0
      tests/TestCase/Http/ControllerFactoryTest.php

+ 7 - 4
src/Http/ControllerFactory.php
View File 

@@ -55,16 +55,19 @@ class ControllerFactory
 
             }
 
             }
 
         }
 
         }
 
         $firstChar = substr($controller, 0, 1);
 
         $firstChar = substr($controller, 0, 1);
 
+
 
+        // Disallow plugin short forms, / and \\ from
 
+        // controller names as they allow direct references to
 
+        // be created.
 
         if (strpos($controller, '\\') !== false ||
 
         if (strpos($controller, '\\') !== false ||
 
+            strpos($controller, '/') !== false ||
 
             strpos($controller, '.') !== false ||
 
             strpos($controller, '.') !== false ||
 
             $firstChar === strtolower($firstChar)
 
             $firstChar === strtolower($firstChar)
 
         ) {
 
         ) {
 
             return $this->missingController($request);
 
             return $this->missingController($request);
 
         }
 
         }
 
-        $className = false;
 
-        if ($pluginPath . $controller) {
 
-            $className = App::classname($pluginPath . $controller, $namespace, 'Controller');
 
-        }
 
+
 
+        $className = App::classname($pluginPath . $controller, $namespace, 'Controller');
 
         if (!$className) {
 
         if (!$className) {
 
             return $this->missingController($request);
 
             return $this->missingController($request);
 
         }
 
         }

+ 17 - 0
tests/TestCase/Http/ControllerFactoryTest.php
View File 

@@ -232,6 +232,23 @@ class ControllerFactoryTest extends TestCase
 
 
 
     /**
 
     /**
 
      * @expectedException \Cake\Routing\Exception\MissingControllerException
 
      * @expectedException \Cake\Routing\Exception\MissingControllerException
 
+     * @expectedExceptionMessage Controller class Admin/Posts could not be found.
 
+     * @return void
 
+     */
 
+    public function testSlashedControllerFailure()
 
+    {
 
+        $request = new Request([
 
+            'url' => 'admin/posts/index',
 
+            'params' => [
 
+                'controller' => 'Admin/Posts',
 
+                'action' => 'index',
 
+            ]
 
+        ]);
 
+        $this->factory->create($request, $this->response);
 
+    }
 
+
 
+    /**
 
+     * @expectedException \Cake\Routing\Exception\MissingControllerException
 
      * @expectedExceptionMessage Controller class TestApp\Controller\CakesController could not be found.
 
      * @expectedExceptionMessage Controller class TestApp\Controller\CakesController could not be found.
 
      * @return void
 
      * @return void
 
      */
 
      */