tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

[ss-2018-005] Prevent unauthenticated isDev / isTest being allowed

Browse Source
This commit is contained in:
Damian Mooyman 2018-04-09 11:06:05 +12:00 committed by Robbie Averill
parent e967ab09a2
commit d935140a95
2 changed files with 17 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/Core/Startup/ParameterConfirmationToken.php
View File

@ -214,6 +214,7 @@ class ParameterConfirmationToken
*/ */
public function suppress() public function suppress()
{ {
unset($_GET[$this->parameterName]);
$this->request->offsetUnset($this->parameterName); $this->request->offsetUnset($this->parameterName);
} }

27
tests/php/Core/Startup/ParameterConfirmationTokenTest.php
View File

@ -20,17 +20,17 @@ class ParameterConfirmationTokenTest extends SapphireTest
protected function setUp() protected function setUp()
{ {
parent::setUp(); parent::setUp();
$get = []; $_GET = [];
$get['parameterconfirmationtokentest_notoken'] = 'value'; $_GET['parameterconfirmationtokentest_notoken'] = 'value';
$get['parameterconfirmationtokentest_empty'] = ''; $_GET['parameterconfirmationtokentest_empty'] = '';
$get['parameterconfirmationtokentest_withtoken'] = '1'; $_GET['parameterconfirmationtokentest_withtoken'] = '1';
$get['parameterconfirmationtokentest_withtokentoken'] = 'dummy'; $_GET['parameterconfirmationtokentest_withtokentoken'] = 'dummy';
$get['parameterconfirmationtokentest_nulltoken'] = '1'; $_GET['parameterconfirmationtokentest_nulltoken'] = '1';
$get['parameterconfirmationtokentest_nulltokentoken'] = null; $_GET['parameterconfirmationtokentest_nulltokentoken'] = null;
$get['parameterconfirmationtokentest_emptytoken'] = '1'; $_GET['parameterconfirmationtokentest_emptytoken'] = '1';
$get['parameterconfirmationtokentest_emptytokentoken'] = ''; $_GET['parameterconfirmationtokentest_emptytokentoken'] = '';
$get['BackURL'] = 'page?parameterconfirmationtokentest_backtoken=1'; $_GET['BackURL'] = 'page?parameterconfirmationtokentest_backtoken=1';
$this->request = new HTTPRequest('GET', 'anotherpage', $get); $this->request = new HTTPRequest('GET', 'anotherpage', $_GET);
$this->request->setSession(new Session([])); $this->request->setSession(new Session([]));
} }
@ -129,6 +129,11 @@ class ParameterConfirmationTokenTest extends SapphireTest
$this->request $this->request
); );
$this->assertEquals('parameterconfirmationtokentest_backtoken', $token->getName()); $this->assertEquals('parameterconfirmationtokentest_backtoken', $token->getName());
// Test prepare_tokens() unsets $_GET vars
$this->assertArrayNotHasKey('parameterconfirmationtokentest_notoken', $_GET);
$this->assertArrayNotHasKey('parameterconfirmationtokentest_empty', $_GET);
$this->assertArrayNotHasKey('parameterconfirmationtokentest_noparam', $_GET);
} }
public function dataProviderURLs() public function dataProviderURLs()