tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

BUGFIX: disallow numeric actions - numeric array indexes are incorrectly picked up as allowed actions (#5331) (from r103092)

Browse Source 
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@112118 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Sam Minnee 2010-10-13 03:30:54 +00:00
parent 6f30671604
commit eef3ff8021
2 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
core/control/RequestHandler.php
View File

@ -216,10 +216,15 @@ class RequestHandler extends ViewableData {
$action = strtolower($action); $action = strtolower($action);
$actions = $this->allowedActions(); $actions = $this->allowedActions();
// Check if the action is defined in the allowed actions as either a
// key or value. Note that if the action is numeric, then keys are not
// searched for actions to prevent actual array keys being recognised
// as actions.
if(is_array($actions)) { if(is_array($actions)) {
if(array_key_exists($action, $actions) || in_array($action, $actions)) { $isKey = !is_numeric($action) && array_key_exists($action, $actions);
return true; $isValue = in_array($action, $actions);
}
if($isKey || $isValue) return true;
} }
if(!is_array($actions) || !$this->uninherited('allowed_actions')) { if(!is_array($actions) || !$this->uninherited('allowed_actions')) {

1
tests/ControllerTest.php
View File

@ -110,6 +110,7 @@ class ControllerTest extends FunctionalTest {
public function testHasAction() { public function testHasAction() {
$controller = new ControllerTest_HasAction(); $controller = new ControllerTest_HasAction();
$this->assertFalse($controller->hasAction('1'), 'Numeric actions do not slip through.');
$this->assertFalse($controller->hasAction('undefined'), 'undefined actions do not exist'); $this->assertFalse($controller->hasAction('undefined'), 'undefined actions do not exist');
$this->assertTrue($controller->hasAction('allowed_action'), 'allowed actions are recognised'); $this->assertTrue($controller->hasAction('allowed_action'), 'allowed actions are recognised');
$this->assertTrue($controller->hasAction('template_action'), 'action-specific templates are recognised'); $this->assertTrue($controller->hasAction('template_action'), 'action-specific templates are recognised');