fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-04-02 01:52:10 +09:00
Code Issues Projects Releases Packages Wiki Activity

Fix CSRF check for GET requests

Browse source
This commit is contained in:
Kijin Sung 2017-04-23 14:51:41 +09:00
parent fa5c7afce2
commit 2822191271
2 changed files with 21 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

16
tests/unit/framework/SecurityTest.php
View file

@ -110,14 +110,30 @@ class SecurityTest extends \Codeception\TestCase\Test
$_SERVER['REQUEST_METHOD'] = 'GET';
$_SERVER['HTTP_REFERER'] = '';
$_SERVER['HTTP_X_CSRF_TOKEN'] = '';
$this->assertFalse(Rhymix\Framework\Security::checkCSRF());
$_SERVER['HTTP_X_CSRF_TOKEN'] = Rhymix\Framework\Session::createToken();
$this->assertTrue(Rhymix\Framework\Security::checkCSRF());
$_SERVER['REQUEST_METHOD'] = 'POST';
$_SERVER['HTTP_REFERER'] = '';
$_SERVER['HTTP_X_CSRF_TOKEN'] = '';
$this->assertFalse(Rhymix\Framework\Security::checkCSRF());
$_SERVER['HTTP_X_CSRF_TOKEN'] = Rhymix\Framework\Session::createToken();
$this->assertTrue(Rhymix\Framework\Security::checkCSRF());
$_SERVER['HTTP_REFERER'] = 'http://www.foobar.com/';
$_SERVER['HTTP_X_CSRF_TOKEN'] = '';
$this->assertFalse(Rhymix\Framework\Security::checkCSRF());
$_SERVER['HTTP_REFERER'] = 'http://www.rhymix.org/foo/bar';
$_SERVER['HTTP_X_CSRF_TOKEN'] = '';
$this->assertTrue(Rhymix\Framework\Security::checkCSRF());
$_SERVER['HTTP_X_CSRF_TOKEN'] = 'invalid value';
$this->assertFalse(Rhymix\Framework\Security::checkCSRF());
$_SERVER['HTTP_REFERER'] = '';
$_SERVER['HTTP_X_CSRF_TOKEN'] = '';
$this->assertTrue(Rhymix\Framework\Security::checkCSRF('http://www.rhymix.org/'));
error_reporting($error_reporting);