tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

BUG Fix message casting for html security messages

Browse Source
This commit is contained in:
Damian Mooyman 2017-12-14 14:49:58 +13:00
parent 529e341dbc
commit 140ed72e2a
No known key found for this signature in database
GPG Key ID: 78B823A10DE27D1A
2 changed files with 39 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
src/Security/Security.php
View File

@ -317,14 +317,23 @@ class Security extends Controller implements TemplateGlobalProvider
public static function permissionFailure($controller = null, $messageSet = null) public static function permissionFailure($controller = null, $messageSet = null)
{ {
self::set_ignore_disallowed_actions(true); self::set_ignore_disallowed_actions(true);
$shouldEscapeHtml = function ($message) {
// Parse raw message / escape type
$parseMessage = function ($message) {
if ($message instanceof DBField) { if ($message instanceof DBField) {
$escapeHtml = $message->config()->escape_type === 'raw'; return [
} else { $message->getValue(),
$escapeHtml = true; $message->config()->get('escape_type') === 'raw'
? ValidationResult::CAST_TEXT
: ValidationResult::CAST_HTML,
];
} }
return $escapeHtml; // Default to escaped value
return [
$message,
ValidationResult::CAST_TEXT,
];
}; };
if (!$controller && Controller::has_curr()) { if (!$controller && Controller::has_curr()) {
@ -389,7 +398,8 @@ class Security extends Controller implements TemplateGlobalProvider
$message = $messageSet['default']; $message = $messageSet['default'];
} }
static::singleton()->setSessionMessage($message, ValidationResult::TYPE_WARNING, $shouldEscapeHtml($message) ? ValidationResult::CAST_TEXT : ValidationResult::CAST_HTML); list($messageText, $messageCast) = $parseMessage($message);
static::singleton()->setSessionMessage($messageText, ValidationResult::TYPE_WARNING, $messageCast);
$request = new HTTPRequest('GET', '/'); $request = new HTTPRequest('GET', '/');
if ($controller) { if ($controller) {
$request->setSession($controller->getRequest()->getSession()); $request->setSession($controller->getRequest()->getSession());
@ -408,13 +418,8 @@ class Security extends Controller implements TemplateGlobalProvider
$message = $messageSet['default']; $message = $messageSet['default'];
} }
static::singleton()->setSessionMessage( list($messageText, $messageCast) = $parseMessage($message);
$message, static::singleton()->setSessionMessage($messageText, ValidationResult::TYPE_WARNING, $messageCast);
ValidationResult::TYPE_WARNING,
$shouldEscapeHtml($message) ?
ValidationResult::CAST_TEXT :
ValidationResult::CAST_HTML
);
$controller->getRequest()->getSession()->set("BackURL", $_SERVER['REQUEST_URI']); $controller->getRequest()->getSession()->set("BackURL", $_SERVER['REQUEST_URI']);

21
tests/php/Security/SecurityTest.php
View File

@ -16,6 +16,7 @@ use SilverStripe\ORM\DataObject;
use SilverStripe\ORM\DB; use SilverStripe\ORM\DB;
use SilverStripe\ORM\FieldType\DBClassName; use SilverStripe\ORM\FieldType\DBClassName;
use SilverStripe\ORM\FieldType\DBDatetime; use SilverStripe\ORM\FieldType\DBDatetime;
use SilverStripe\ORM\FieldType\DBField;
use SilverStripe\ORM\ValidationResult; use SilverStripe\ORM\ValidationResult;
use SilverStripe\Security\LoginAttempt; use SilverStripe\Security\LoginAttempt;
use SilverStripe\Security\Member; use SilverStripe\Security\Member;
@ -129,6 +130,26 @@ class SecurityTest extends FunctionalTest
$controller->getResponse()->getBody(), $controller->getResponse()->getBody(),
"Message set passed to Security::permissionFailure() didn't override Config values" "Message set passed to Security::permissionFailure() didn't override Config values"
); );
// Test DBField cast messages work
Security::permissionFailure(
$controller,
DBField::create_field('HTMLFragment', '<p>Custom HTML &amp; Message</p>')
);
$this->assertContains(
'<p>Custom HTML &amp; Message</p>',
$controller->getResponse()->getBody()
);
// Plain text DBText
Security::permissionFailure(
$controller,
DBField::create_field('Text', 'Safely escaped & message')
);
$this->assertContains(
'Safely escaped &amp; message',
$controller->getResponse()->getBody()
);
} }
/** /**