Merge pull request #1850 from MGatner/secure-routable-controller-methods

lonnieezell · web-flow · commit b5c3f1839b12 · 2019-03-25T22:26:44.000-05:00
Secure routable controller methods
diff --git a/system/Config/Routes.php b/system/Config/Routes.php
@@ -57,3 +57,9 @@
 
 // CLI Catchall - uses a _remap to call Commands
 $routes->cli('ci(:any)', '\CodeIgniter\CLI\CommandRunner::index/$1');
+
+// Prevent access to initController method
+$routes->add('(:any)/initController', function()
+{
+    throw \CodeIgniter\Exceptions\PageNotFoundException::forPageNotFound();
+}); 
diff --git a/system/Controller.php b/system/Controller.php
@@ -138,7 +138,7 @@ public function initController(RequestInterface $request, ResponseInterface $res
 	 *
 	 * @throws \CodeIgniter\HTTP\Exceptions\HTTPException
 	 */
-	public function forceHTTPS(int $duration = 31536000)
+	protected function forceHTTPS(int $duration = 31536000)
 	{
 		force_https($duration, $this->request, $this->response);
 	}
@@ -151,7 +151,7 @@ public function forceHTTPS(int $duration = 31536000)
 	 *
 	 * @param integer $time
 	 */
-	public function cachePage(int $time)
+	protected function cachePage(int $time)
 	{
 		CodeIgniter::cache($time);
 	}
@@ -185,7 +185,7 @@ protected function loadHelpers()
 	 *
 	 * @return boolean
 	 */
-	public function validate($rules, array $messages = []): bool
+	protected function validate($rules, array $messages = []): bool
 	{
 		$this->validator = Services::validation();
 
diff --git a/tests/system/ControllerTest.php b/tests/system/ControllerTest.php
@@ -87,7 +87,8 @@ public function testCachePage()
 		$this->controller = new Controller();
 		$this->controller->initController($this->request, $this->response, $this->logger);
 
-		$this->assertNull($this->controller->cachePage(10));
+		$method = $this->getPrivateMethodInvoker($this->controller, 'cachePage');
+		$this->assertNull($method(10));
 	}
 
 	public function testValidate()
@@ -97,7 +98,8 @@ public function testValidate()
 		$this->controller->initController($this->request, $this->response, $this->logger);
 
 		// and that we can attempt validation, with no rules
-		$this->assertFalse($this->controller->validate([]));
+		$method = $this->getPrivateMethodInvoker($this->controller, 'validate');
+		$this->assertFalse($method([]));
 	}
 
 	//--------------------------------------------------------------------

Original file line number	Diff line number	Diff line change
`@@ -138,7 +138,7 @@ public function initController(RequestInterface $request, ResponseInterface $res`
`138`	`138`	`*`
`139`	`139`	`* @throws \CodeIgniter\HTTP\Exceptions\HTTPException`
`140`	`140`	`*/`
`141`		`- public function forceHTTPS(int $duration = 31536000)`
	`141`	`+ protected function forceHTTPS(int $duration = 31536000)`
`142`	`142`	`{`
`143`	`143`	`force_https($duration, $this->request, $this->response);`
`144`	`144`	`}`
`@@ -151,7 +151,7 @@ public function forceHTTPS(int $duration = 31536000)`
`151`	`151`	`*`
`152`	`152`	`* @param integer $time`
`153`	`153`	`*/`
`154`		`- public function cachePage(int $time)`
	`154`	`+ protected function cachePage(int $time)`
`155`	`155`	`{`
`156`	`156`	`CodeIgniter::cache($time);`
`157`	`157`	`}`
`@@ -185,7 +185,7 @@ protected function loadHelpers()`
`185`	`185`	`*`
`186`	`186`	`* @return boolean`
`187`	`187`	`*/`
`188`		`- public function validate($rules, array $messages = []): bool`
	`188`	`+ protected function validate($rules, array $messages = []): bool`
`189`	`189`	`{`
`190`	`190`	`$this->validator = Services::validation();`
`191`	`191`