Using the Security helper, FormSignature calculates a hash of all fields in a form, so that
when the form is submitted, the fields may be validated to ensure that none were added or
removed, and that fields designated as _locked_ have not had their values altered.
To enable form signing in a view, simply call $this->security->sign() before generating your
form. In the controller, you may then validate the request by passing $this->request to the
check() method.
/** * Tests that `FormSignature` correctly ignores other fields in the `'security'` array when * generating signatures. */ public function testIgnoreSecurityFields() { $components = array('a%3A1%3A%7Bs%3A6%3A%22active%22%3Bs%3A4%3A%22true%22%3B%7D', 'a%3A0%3A%7B%7D', '$2a$10$NuNTOeXv4OHpPJtbdAmfReFiSmFw5hmc6sSy8qwns6/DWNSSOjR1y'); $signature = join('::', $components); $request = new Request(array('data' => array('email' => 'foo@baz', 'pass' => 'whatever', 'active' => 'true', 'security' => compact('signature') + array('foo' => 'bar')))); $this->assertTrue(FormSignature::check($request)); }
/** * Tests that the `Security` helper correctly binds to the `Form` helper to collect field * information and generate a signature. */ public function testFormSignatureGeneration() { $form = new Form(array('context' => $this->context)); $this->subject->sign($form); ob_start(); $content = array($form->create(null, array('url' => 'http:///')), $form->text('email', array('value' => 'foo@bar')), $form->password('pass'), $form->hidden('active', array('value' => 'true')), $form->end()); $signature = ob_get_clean(); preg_match('/value="([^"]+)"/', $signature, $match); list(, $signature) = $match; $expected = array('a%3A1%3A%7Bs%3A6%3A%22active%22%3Bs%3A4%3A%22true%22%3B%7D', 'a%3A0%3A%7B%7D', '$2a$10$NuNTOeXv4OHpPJtbdAmfReFiSmFw5hmc6sSy8qwns6/DWNSSOjR1y'); $this->assertEqual(join('::', $expected), $signature); $request = new Request(array('data' => array('email' => 'foo@baz', 'pass' => 'whatever', 'active' => 'true', 'security' => compact('signature')))); $this->assertTrue(FormSignature::check($request)); }
public function testFormSignatureWithMethodPUT() { $form = new Form(array('context' => $this->context)); $this->subject->sign($form); ob_start(); $content = array($form->create(null, array('url' => 'http:///', 'method' => 'PUT')), $form->text('email', array('value' => 'foo@bar')), $form->end()); $signature = ob_get_clean(); preg_match('/value="([^"]+)"/', $signature, $match); list(, $signature) = $match; $request = new Request(array('data' => array('_method' => 'PUT', 'email' => 'foo@baz', 'security' => compact('signature')))); $this->assertTrue(FormSignature::check($request)); }
protected static function _parse($signature) { $result = parent::_parse($signature); static::$parse[] = array('in' => compact('signature'), 'out' => $result); return $result; }
public function testFailsTamperedFieldsAndLockedWithManyAndFieldsChange() { for ($originalFields = array(), $i = 0; $i < 20; $i++) { $originalFields['fooa' . $i] = 'bara' . $i; } for ($originalLocked = array(), $i = 0; $i < 20; $i++) { $originalLocked['foob' . $i] = 'barb' . $i; } $signature0 = FormSignature::key(array('fields' => $originalFields, 'locked' => $originalLocked)); $changed = $originalFields; $changed['foo10000'] = 'barAdded'; $signature1 = FormSignature::key(array('fields' => $changed, 'locked' => $originalLocked)); $this->assertNotIdentical($signature0, $signature1); $changed = $originalFields; unset($changed['fooa1']); $signature1 = FormSignature::key(array('fields' => $changed, 'locked' => $originalLocked)); $this->assertNotIdentical($signature0, $signature1); }