Only allow GET, HEAD, OPTIONS to not have CSRF tokens.

markstory · markstory · commit 0f818a23a876 · 2015-11-25T22:11:16.000-05:00
This covers cases where bad guys make up fake HTTP methods to trick CSRF
validation.

Update test cases to not muck about in $_SERVER too.
diff --git a/src/Controller/Component/CsrfComponent.php b/src/Controller/Component/CsrfComponent.php
@@ -94,7 +94,7 @@ public function startup(Event $event)
         if ($request->is('get') && $cookieData === null) {
             $this->_setCookie($request, $response);
         }
-        if ($request->is(['patch', 'put', 'post', 'delete'])) {
+        if (!$request->is(['head', 'get', 'options'])) {
             $this->_validateToken($request);
             unset($request->data[$this->_config['field']]);
         }
diff --git a/tests/TestCase/Controller/Component/CsrfComponentTest.php b/tests/TestCase/Controller/Component/CsrfComponentTest.php
@@ -61,10 +61,11 @@ public function tearDown()
      */
     public function testSettingCookie()
     {
-        $_SERVER['REQUEST_METHOD'] = 'GET';
-
         $controller = $this->getMock('Cake\Controller\Controller', ['redirect']);
-        $controller->request = new Request(['webroot' => '/dir/']);
+        $controller->request = new Request([
+            'environment' => ['REQUEST_METHOD' => 'GET'],
+            'webroot' => '/dir/',
+        ]);
         $controller->response = new Response();
 
         $event = new Event('Controller.startup', $controller);
@@ -87,7 +88,7 @@ public function testSettingCookie()
     public static function httpMethodProvider()
     {
         return [
-            ['PATCH'], ['PUT'], ['POST'], ['DELETE']
+            ['PATCH'], ['PUT'], ['POST'], ['DELETE'], ['PURGE'], ['INVALIDMETHOD']
         ];
     }
 
@@ -100,11 +101,14 @@ public static function httpMethodProvider()
      */
     public function testValidTokenInHeader($method)
     {
-        $_SERVER['REQUEST_METHOD'] = $method;
-        $_SERVER['HTTP_X_CSRF_TOKEN'] = 'testing123';
-
         $controller = $this->getMock('Cake\Controller\Controller', ['redirect']);
-        $controller->request = new Request(['cookies' => ['csrfToken' => 'testing123']]);
+        $controller->request = new Request([
+            'environment' => [
+                'REQUEST_METHOD' => $method,
+                'HTTP_X_CSRF_TOKEN' => 'testing123',
+            ],
+            'cookies' => ['csrfToken' => 'testing123']
+        ]);
         $controller->response = new Response();
 
         $event = new Event('Controller.startup', $controller);
@@ -122,11 +126,12 @@ public function testValidTokenInHeader($method)
      */
     public function testInvalidTokenInHeader($method)
     {
-        $_SERVER['REQUEST_METHOD'] = $method;
-        $_SERVER['HTTP_X_CSRF_TOKEN'] = 'nope';
-
         $controller = $this->getMock('Cake\Controller\Controller', ['redirect']);
         $controller->request = new Request([
+            'environment' => [
+                'REQUEST_METHOD' => $method,
+                'HTTP_X_CSRF_TOKEN' => 'nope',
+            ],
             'cookies' => ['csrfToken' => 'testing123']
         ]);
         $controller->response = new Response();
@@ -144,10 +149,11 @@ public function testInvalidTokenInHeader($method)
      */
     public function testValidTokenRequestData($method)
     {
-        $_SERVER['REQUEST_METHOD'] = $method;
-
         $controller = $this->getMock('Cake\Controller\Controller', ['redirect']);
         $controller->request = new Request([
+            'environment' => [
+                'REQUEST_METHOD' => $method,
+            ],
             'post' => ['_csrfToken' => 'testing123'],
             'cookies' => ['csrfToken' => 'testing123']
         ]);
@@ -168,10 +174,11 @@ public function testValidTokenRequestData($method)
      */
     public function testInvalidTokenRequestData($method)
     {
-        $_SERVER['REQUEST_METHOD'] = $method;
-
         $controller = $this->getMock('Cake\Controller\Controller', ['redirect']);
         $controller->request = new Request([
+            'environment' => [
+                'REQUEST_METHOD' => $method,
+            ],
             'post' => ['_csrfToken' => 'nope'],
             'cookies' => ['csrfToken' => 'testing123']
         ]);
@@ -189,10 +196,11 @@ public function testInvalidTokenRequestData($method)
      */
     public function testInvalidTokenRequestDataMissing()
     {
-        $_SERVER['REQUEST_METHOD'] = 'POST';
-
         $controller = $this->getMock('Cake\Controller\Controller', ['redirect']);
         $controller->request = new Request([
+            'environment' => [
+                'REQUEST_METHOD' => 'POST',
+            ],
             'post' => [],
             'cookies' => ['csrfToken' => 'testing123']
         ]);
@@ -211,10 +219,11 @@ public function testInvalidTokenRequestDataMissing()
      */
     public function testInvalidTokenMissingCookie($method)
     {
-        $_SERVER['REQUEST_METHOD'] = $method;
-
         $controller = $this->getMock('Cake\Controller\Controller', ['redirect']);
         $controller->request = new Request([
+            'environment' => [
+                'REQUEST_METHOD' => $method
+            ],
             'post' => ['_csrfToken' => 'could-be-valid'],
             'cookies' => []
         ]);
@@ -232,10 +241,9 @@ public function testInvalidTokenMissingCookie($method)
      */
     public function testCsrfValidationSkipsRequestAction()
     {
-        $_SERVER['REQUEST_METHOD'] = 'POST';
-
         $controller = $this->getMock('Cake\Controller\Controller', ['redirect']);
         $controller->request = new Request([
+            'environment' => ['REQUEST_METHOD' => 'POST'],
             'params' => ['requested' => 1],
             'post' => ['_csrfToken' => 'nope'],
             'cookies' => ['csrfToken' => 'testing123']
@@ -256,10 +264,11 @@ public function testCsrfValidationSkipsRequestAction()
      */
     public function testConfigurationCookieCreate()
     {
-        $_SERVER['REQUEST_METHOD'] = 'GET';
-
         $controller = $this->getMock('Cake\Controller\Controller', ['redirect']);
-        $controller->request = new Request(['webroot' => '/dir/']);
+        $controller->request = new Request([
+            'environment' => ['REQUEST_METHOD' => 'GET'],
+            'webroot' => '/dir/'
+        ]);
         $controller->response = new Response();
 
         $component = new CsrfComponent($this->registry, [
@@ -290,10 +299,9 @@ public function testConfigurationCookieCreate()
      */
     public function testConfigurationValidate()
     {
-        $_SERVER['REQUEST_METHOD'] = 'POST';
-
         $controller = $this->getMock('Cake\Controller\Controller', ['redirect']);
         $controller->request = new Request([
+            'environment' => ['REQUEST_METHOD' => 'POST'],
             'cookies' => ['csrfToken' => 'nope', 'token' => 'yes'],
             'post' => ['_csrfToken' => 'no match', 'token' => 'yes'],
         ]);

Original file line number	Diff line number	Diff line change
`@@ -94,7 +94,7 @@ public function startup(Event $event)`
`94`	`94`	`if ($request->is('get') && $cookieData === null) {`
`95`	`95`	`$this->_setCookie($request, $response);`
`96`	`96`	`}`
`97`		`- if ($request->is(['patch', 'put', 'post', 'delete'])) {`
	`97`	`+ if (!$request->is(['head', 'get', 'options'])) {`
`98`	`98`	`$this->_validateToken($request);`
`99`	`99`	`unset($request->data[$this->_config['field']]);`
`100`	`100`	`}`