Upgrade CakePHP from 2.2.5 to 2.9.5

2025-08-03 22:53:58 +02:00 · 2017-02-26 15:29:44 +01:00 · 2017-02-26 15:29:44 +01:00 · 235a541597
commit 235a541597
parent 5a580df460
793 changed files with 60746 additions and 23753 deletions
--- a/lib/Cake/Test/Case/Utility/SecurityTest.php
+++ b/lib/Cake/Test/Case/Utility/SecurityTest.php
@ -1,21 +1,18 @@
 <?php
 /**
- * SecurityTest file
- *
- * PHP 5
- *
 * CakePHP(tm) Tests <http://book.cakephp.org/2.0/en/development/testing.html>
- * Copyright 2005-2012, Cake Software Foundation, Inc. (http://cakefoundation.org)
+ * Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
 *
 * Licensed under The MIT License
+ * For full copyright and license information, please see the LICENSE.txt
 * Redistributions of files must retain the above copyright notice
 *
- * @copyright     Copyright 2005-2012, Cake Software Foundation, Inc. (http://cakefoundation.org)
+ * @copyright     Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
 * @link          http://book.cakephp.org/2.0/en/development/testing.html CakePHP(tm) Tests
- * @package       Cake.Test.Case.Utility
 * @since         CakePHP(tm) v 1.2.0.5432
- * @license       MIT License (http://www.opensource.org/licenses/mit-license.php)
+ * @license       http://www.opensource.org/licenses/mit-license.php MIT License
 */
+
 App::uses('Security', 'Utility');

 /**
@ -28,7 +25,7 @@ class SecurityTest extends CakeTestCase {
 /**
 * sut property
 *
- * @var mixed null
+ * @var mixed
 */
 	public $sut = null;

@ -67,6 +64,45 @@ class SecurityTest extends CakeTestCase {
 		$this->assertTrue(Security::validateAuthKey($authKey));
 	}

+/**
+ * testHashInvalidSalt method
+ *
+ * @expectedException PHPUnit_Framework_Error
+ * @return void
+ */
+	public function testHashInvalidSalt() {
+		Security::hash('someKey', 'blowfish', true);
+	}
+
+/**
+ * testHashAnotherInvalidSalt
+ *
+ * @expectedException PHPUnit_Framework_Error
+ * @return void
+ */
+	public function testHashAnotherInvalidSalt() {
+		Security::hash('someKey', 'blowfish', '$1$lksdjoijfaoijs');
+	}
+
+/**
+ * testHashYetAnotherInvalidSalt
+ *
+ * @expectedException PHPUnit_Framework_Error
+ * @return void
+ */
+	public function testHashYetAnotherInvalidSalt() {
+		Security::hash('someKey', 'blowfish', '$2a$10$123');
+	}
+
+/**
+ * testHashInvalidCost method
+ *
+ * @expectedException PHPUnit_Framework_Error
+ * @return void
+ */
+	public function testHashInvalidCost() {
+		Security::setCost(1000);
+	}
 /**
 * testHash method
 *
@ -78,10 +114,10 @@ class SecurityTest extends CakeTestCase {
 		$key = 'someKey';
 		$hash = 'someHash';

-		$this->assertSame(strlen(Security::hash($key, null, false)), 40);
-		$this->assertSame(strlen(Security::hash($key, 'sha1', false)), 40);
-		$this->assertSame(strlen(Security::hash($key, null, true)), 40);
-		$this->assertSame(strlen(Security::hash($key, 'sha1', true)), 40);
+		$this->assertSame(40, strlen(Security::hash($key, null, false)));
+		$this->assertSame(40, strlen(Security::hash($key, 'sha1', false)));
+		$this->assertSame(40, strlen(Security::hash($key, null, true)));
+		$this->assertSame(40, strlen(Security::hash($key, 'sha1', true)));

 		$result = Security::hash($key, null, $hash);
 		$this->assertSame($result, 'e38fcb877dccb6a94729a81523851c931a46efb1');
@ -91,30 +127,94 @@ class SecurityTest extends CakeTestCase {

 		$hashType = 'sha1';
 		Security::setHash($hashType);
-		$this->assertSame(Security::$hashType, $hashType);
-		$this->assertSame(strlen(Security::hash($key, null, true)), 40);
-		$this->assertSame(strlen(Security::hash($key, null, false)), 40);
+		$this->assertSame($hashType, Security::$hashType);
+		$this->assertSame(40, strlen(Security::hash($key, null, true)));
+		$this->assertSame(40, strlen(Security::hash($key, null, false)));

-		$this->assertSame(strlen(Security::hash($key, 'md5', false)), 32);
-		$this->assertSame(strlen(Security::hash($key, 'md5', true)), 32);
+		$this->assertSame(32, strlen(Security::hash($key, 'md5', false)));
+		$this->assertSame(32, strlen(Security::hash($key, 'md5', true)));

 		$hashType = 'md5';
 		Security::setHash($hashType);
-		$this->assertSame(Security::$hashType, $hashType);
-		$this->assertSame(strlen(Security::hash($key, null, false)), 32);
-		$this->assertSame(strlen(Security::hash($key, null, true)), 32);
+		$this->assertSame($hashType, Security::$hashType);
+		$this->assertSame(32, strlen(Security::hash($key, null, false)));
+		$this->assertSame(32, strlen(Security::hash($key, null, true)));

 		if (!function_exists('hash') && !function_exists('mhash')) {
-			$this->assertSame(strlen(Security::hash($key, 'sha256', false)), 32);
-			$this->assertSame(strlen(Security::hash($key, 'sha256', true)), 32);
+			$this->assertSame(32, strlen(Security::hash($key, 'sha256', false)));
+			$this->assertSame(32, strlen(Security::hash($key, 'sha256', true)));
 		} else {
-			$this->assertSame(strlen(Security::hash($key, 'sha256', false)), 64);
-			$this->assertSame(strlen(Security::hash($key, 'sha256', true)), 64);
+			$this->assertSame(64, strlen(Security::hash($key, 'sha256', false)));
+			$this->assertSame(64, strlen(Security::hash($key, 'sha256', true)));
 		}

 		Security::setHash($_hashType);
 	}

+/**
+ * Test that blowfish doesn't return '' when the salt is ''
+ *
+ * @return void
+ */
+	public function testHashBlowfishEmptySalt() {
+		$test = Security::hash('password', 'blowfish');
+		$this->skipIf(strpos($test, '$2a$') === false, 'Blowfish hashes are incorrect.');
+
+		$stored = '';
+		$hash = Security::hash('anything', 'blowfish', $stored);
+		$this->assertNotEquals($stored, $hash);
+
+		$hash = Security::hash('anything', 'blowfish', false);
+		$this->assertNotEquals($stored, $hash);
+
+		$hash = Security::hash('anything', 'blowfish', null);
+		$this->assertNotEquals($stored, $hash);
+	}
+
+/**
+ * Test that hash() works with blowfish.
+ *
+ * @return void
+ */
+	public function testHashBlowfish() {
+		$test = Security::hash('password', 'blowfish');
+		$this->skipIf(strpos($test, '$2a$') === false, 'Blowfish hashes are incorrect.');
+
+		Security::setCost(10);
+		$_hashType = Security::$hashType;
+
+		$key = 'someKey';
+		$hashType = 'blowfish';
+		Security::setHash($hashType);
+
+		$this->assertSame($hashType, Security::$hashType);
+		$this->assertSame(60, strlen(Security::hash($key, null, false)));
+
+		$password = $submittedPassword = $key;
+		$storedPassword = Security::hash($password);
+
+		$hashedPassword = Security::hash($submittedPassword, null, $storedPassword);
+		$this->assertSame($storedPassword, $hashedPassword);
+
+		$submittedPassword = 'someOtherKey';
+		$hashedPassword = Security::hash($submittedPassword, null, $storedPassword);
+		$this->assertNotSame($storedPassword, $hashedPassword);
+
+		$expected = sha1('customsaltsomevalue');
+		$result = Security::hash('somevalue', 'sha1', 'customsalt');
+		$this->assertSame($expected, $result);
+
+		$oldSalt = Configure::read('Security.salt');
+		Configure::write('Security.salt', 'customsalt');
+
+		$expected = sha1('customsaltsomevalue');
+		$result = Security::hash('somevalue', 'sha1', true);
+		$this->assertSame($expected, $result);
+
+		Configure::write('Security.salt', $oldSalt);
+		Security::setHash($_hashType);
+	}
+
 /**
 * testCipher method
 *
@ -155,7 +255,7 @@ class SecurityTest extends CakeTestCase {
 	public function testCipherEmptyKey() {
 		$txt = 'some_text';
 		$key = '';
-		$result = Security::cipher($txt, $key);
+		Security::cipher($txt, $key);
 	}

 /**
@ -164,6 +264,7 @@ class SecurityTest extends CakeTestCase {
 * @return void
 */
 	public function testRijndael() {
+		$this->skipIf(!function_exists('mcrypt_encrypt'));
 		$txt = 'The quick brown fox jumped over the lazy dog.';
 		$key = 'DYhG93b0qyJfIxfs2guVoUubWwvniR2G0FgaC9mi';

@ -176,10 +277,27 @@ class SecurityTest extends CakeTestCase {
 		$result = Security::rijndael('', $key, 'encrypt');
 		$this->assertEquals('', Security::rijndael($result, $key, 'decrypt'));

-		$result = Security::rijndael($txt, $key = 'this is my key of over 32 chars, yes it is', 'encrypt');
+		$key = 'this is my key of over 32 chars, yes it is';
+		$result = Security::rijndael($txt, $key, 'encrypt');
 		$this->assertEquals($txt, Security::rijndael($result, $key, 'decrypt'));
 	}

+/**
+ * Test that rijndael() can still decrypt values with a fixed iv.
+ *
+ * @return void
+ */
+	public function testRijndaelBackwardCompatibility() {
+		$this->skipIf(!function_exists('mcrypt_encrypt'));
+
+		$txt = 'The quick brown fox jumped over the lazy dog.';
+		$key = 'DYhG93b0qyJfIxfs2guVoUubWwvniR2G0FgaC9mi';
+
+		// Encrypted before random iv
+		$value = base64_decode('1WPjnq96LMzLGwNgmudHF+cAIqVUN5DaUZEpf5tm1EzSgt5iYY9o3d66iRI/fKJLTlTVGsa8HzW0jDNitmVXoQ==');
+		$this->assertEquals($txt, Security::rijndael($value, $key, 'decrypt'));
+	}
+
 /**
 * testRijndaelInvalidOperation method
 *
@ -189,7 +307,7 @@ class SecurityTest extends CakeTestCase {
 	public function testRijndaelInvalidOperation() {
 		$txt = 'The quick brown fox jumped over the lazy dog.';
 		$key = 'DYhG93b0qyJfIxfs2guVoUubWwvniR2G0FgaC9mi';
-		$result = Security::rijndael($txt, $key, 'foo');
+		Security::rijndael($txt, $key, 'foo');
 	}

 /**
@ -201,7 +319,146 @@ class SecurityTest extends CakeTestCase {
 	public function testRijndaelInvalidKey() {
 		$txt = 'The quick brown fox jumped over the lazy dog.';
 		$key = 'too small';
-		$result = Security::rijndael($txt, $key, 'encrypt');
+		Security::rijndael($txt, $key, 'encrypt');
 	}

+/**
+ * Test encrypt/decrypt.
+ *
+ * @return void
+ */
+	public function testEncryptDecrypt() {
+		$this->skipIf(!extension_loaded('mcrypt'), 'This test requires mcrypt to be installed');
+		$txt = 'The quick brown fox';
+		$key = 'This key is longer than 32 bytes long.';
+		$result = Security::encrypt($txt, $key);
+		$this->assertNotEquals($txt, $result, 'Should be encrypted.');
+		$this->assertNotEquals($result, Security::encrypt($txt, $key), 'Each result is unique.');
+		$this->assertEquals($txt, Security::decrypt($result, $key));
+	}
+
+/**
+ * Test that changing the key causes decryption to fail.
+ *
+ * @return void
+ */
+	public function testDecryptKeyFailure() {
+		$this->skipIf(!extension_loaded('mcrypt'), 'This test requires mcrypt to be installed');
+		$txt = 'The quick brown fox';
+		$key = 'This key is longer than 32 bytes long.';
+		Security::encrypt($txt, $key);
+
+		$key = 'Not the same key. This one will fail';
+		$this->assertFalse(Security::decrypt($txt, $key), 'Modified key will fail.');
+	}
+
+/**
+ * Test that decrypt fails when there is an hmac error.
+ *
+ * @return void
+ */
+	public function testDecryptHmacFailure() {
+		$this->skipIf(!extension_loaded('mcrypt'), 'This test requires mcrypt to be installed');
+		$txt = 'The quick brown fox';
+		$key = 'This key is quite long and works well.';
+		$salt = 'this is a delicious salt!';
+		$result = Security::encrypt($txt, $key, $salt);
+
+		// Change one of the bytes in the hmac.
+		$result[10] = 'x';
+		$this->assertFalse(Security::decrypt($result, $key, $salt), 'Modified hmac causes failure.');
+	}
+
+/**
+ * Test that changing the hmac salt will cause failures.
+ *
+ * @return void
+ */
+	public function testDecryptHmacSaltFailure() {
+		$this->skipIf(!extension_loaded('mcrypt'), 'This test requires mcrypt to be installed');
+		$txt = 'The quick brown fox';
+		$key = 'This key is quite long and works well.';
+		$salt = 'this is a delicious salt!';
+		$result = Security::encrypt($txt, $key, $salt);
+
+		$salt = 'humpty dumpty had a great fall.';
+		$this->assertFalse(Security::decrypt($result, $key, $salt), 'Modified salt causes failure.');
+	}
+
+/**
+ * Test that short keys cause errors
+ *
+ * @expectedException CakeException
+ * @expectedExceptionMessage Invalid key for encrypt(), key must be at least 256 bits (32 bytes) long.
+ * @return void
+ */
+	public function testEncryptInvalidKey() {
+		$txt = 'The quick brown fox jumped over the lazy dog.';
+		$key = 'this is too short';
+		Security::encrypt($txt, $key);
+	}
+
+/**
+ * Test encrypting falsey data
+ *
+ * @return void
+ */
+	public function testEncryptDecryptFalseyData() {
+		$this->skipIf(!extension_loaded('mcrypt'), 'This test requires mcrypt to be installed');
+		$key = 'This is a key that is long enough to be ok.';
+
+		$result = Security::encrypt('', $key);
+		$this->assertSame('', Security::decrypt($result, $key));
+
+		$result = Security::encrypt(false, $key);
+		$this->assertSame('', Security::decrypt($result, $key));
+
+		$result = Security::encrypt(null, $key);
+		$this->assertSame('', Security::decrypt($result, $key));
+
+		$result = Security::encrypt(0, $key);
+		$this->assertSame('0', Security::decrypt($result, $key));
+
+		$result = Security::encrypt('0', $key);
+		$this->assertSame('0', Security::decrypt($result, $key));
+	}
+
+/**
+ * Test that short keys cause errors
+ *
+ * @expectedException CakeException
+ * @expectedExceptionMessage Invalid key for decrypt(), key must be at least 256 bits (32 bytes) long.
+ * @return void
+ */
+	public function testDecryptInvalidKey() {
+		$txt = 'The quick brown fox jumped over the lazy dog.';
+		$key = 'this is too short';
+		Security::decrypt($txt, $key);
+	}
+
+/**
+ * Test that empty data cause errors
+ *
+ * @expectedException CakeException
+ * @expectedExceptionMessage The data to decrypt cannot be empty.
+ * @return void
+ */
+	public function testDecryptInvalidData() {
+		$txt = '';
+		$key = 'This is a key that is long enough to be ok.';
+		Security::decrypt($txt, $key);
+	}
+
+/**
+ * Test the random method.
+ *
+ * @return void
+ */
+	public function testRandomBytes() {
+		$value = Security::randomBytes(16);
+		$this->assertSame(16, strlen($value));
+
+		$value = Security::randomBytes(64);
+		$this->assertSame(64, strlen($value));
+	}
 }