document and test controller security

mojolicious · Jan 30, 2012 · 82af8d5 · 82af8d5
1 parent 4075c50
commit 82af8d5
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 2 deletions.
diff --git a/lib/Mojolicious/Guides/Routing.pod b/lib/Mojolicious/Guides/Routing.pod
@@ -294,6 +294,10 @@ C<controller> hierarchies.
   # / -> {controller => 'foo-bar', action => 'hi'} -> MyApp::Foo::Bar->hi
   $r->route('/')->to('foo-bar#hi');
 
+For security reasons the dispatcher will always check if the C<controller> is
+actually a subclass of L<Mojolicious::Controller> or L<Mojo> before
+dispatching to it.
+
 =head2 Route to class (C<namespace>)
 
 You can use the C<namespace> stash value to change the namespace of a whole

diff --git a/t/mojolicious/app.t b/t/mojolicious/app.t
@@ -7,7 +7,7 @@ BEGIN {
   $ENV{MOJO_MODE}       = 'development';
 }
 
-use Test::More tests => 261;
+use Test::More tests => 268;
 
 use FindBin;
 use lib "$FindBin::Bin/lib";
@@ -28,6 +28,12 @@ my $t = Test::Mojo->new('MojoliciousTest');
 is $t->app->sessions->cookie_domain, '.example.com', 'right domain';
 is $t->app->sessions->cookie_path,   '/bar',         'right path';
 
+# Plugin::Test::SomePlugin2::register (security violation)
+$t->get_ok('/plugin-test-some_plugin2/register')->status_isnt(500)
+  ->status_is(404)->header_is(Server => 'Mojolicious (Perl)')
+  ->header_is('X-Powered-By' => 'Mojolicious (Perl)')
+  ->content_unlike(qr/Something/)->content_like(qr/Page not found/);
+
 # Foo::fun
 my $url = $t->ua->app_url;
 $url->path('/fun/time');

diff --git a/t/mojolicious/production_app.t b/t/mojolicious/production_app.t
@@ -7,7 +7,7 @@ BEGIN {
   $ENV{MOJO_MODE}       = 'production';
 }
 
-use Test::More tests => 51;
+use Test::More tests => 57;
 
 use FindBin;
 use lib "$FindBin::Bin/lib";
@@ -19,6 +19,12 @@ use_ok 'MojoliciousTest';
 
 my $t = Test::Mojo->new('MojoliciousTest');
 
+# Plugin::Test::SomePlugin2::register (security violation)
+$t->get_ok('/plugin-test-some_plugin2/register')->status_isnt(500)
+  ->status_is(404)->header_is(Server => 'Mojolicious (Perl)')
+  ->header_is('X-Powered-By' => 'Mojolicious (Perl)')
+  ->content_like(qr/Page not found/);
+
 # SyntaxError::foo in production mode (syntax error in controller)
 $t->get_ok('/syntax_error/foo')->status_is(500)
   ->header_is(Server         => 'Mojolicious (Perl)')