Skip to content

Commit

Permalink
Merge pull request #8818 from kenjis/fix-incorrect-SecurityException-…
Browse files Browse the repository at this point in the history
…message

fix: incorrect Security exception message
  • Loading branch information
kenjis authored Apr 25, 2024
2 parents 8738340 + fa06a8b commit 0a67abd
Show file tree
Hide file tree
Showing 5 changed files with 15 additions and 5 deletions.
2 changes: 1 addition & 1 deletion system/HTTP/ResponseTrait.php
Original file line number Diff line number Diff line change
Expand Up @@ -670,7 +670,7 @@ private function dispatchCookies(): void

foreach ($this->cookieStore->display() as $cookie) {
if ($cookie->isSecure() && ! $request->isSecure()) {
throw SecurityException::forDisallowedAction();
throw SecurityException::forInsecureCookie();
}

$name = $cookie->getPrefixedName();
Expand Down
1 change: 1 addition & 0 deletions system/Language/en/Security.php
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
// Security language settings
return [
'disallowedAction' => 'The action you requested is not allowed.',
'insecureCookie' => 'Attempted to send a secure cookie over a non-secure connection.',

// @deprecated
'invalidSameSite' => 'The SameSite value must be None, Lax, Strict, or a blank string. Given: "{0}"',
Expand Down
10 changes: 10 additions & 0 deletions system/Security/Exceptions/SecurityException.php
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ class SecurityException extends FrameworkException implements HTTPExceptionInter
{
/**
* Throws when some specific action is not allowed.
* This is used for CSRF protection.
*
* @return static
*/
Expand All @@ -28,6 +29,15 @@ public static function forDisallowedAction()
return new static(lang('Security.disallowedAction'), 403);
}

/**
* Throws if a secure cookie is dispatched when the current connection is not
* secure.
*/
public static function forInsecureCookie(): static
{
return new static(lang('Security.insecureCookie'));
}

/**
* Throws when the source string contains invalid UTF-8 characters.
*
Expand Down
5 changes: 1 addition & 4 deletions tests/system/HTTP/ResponseSendTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -162,14 +162,11 @@ public function testRedirectResponseCookies(): void

/**
* Make sure secure cookies are not sent with HTTP request
*
* @ runInSeparateProcess
* @ preserveGlobalState disabled
*/
public function testDoNotSendUnSecureCookie(): void
{
$this->expectException(SecurityException::class);
$this->expectExceptionMessage('The action you requested is not allowed');
$this->expectExceptionMessage('Attempted to send a secure cookie over a non-secure connection.');

$request = $this->createMock(IncomingRequest::class);
$request->method('isSecure')->willReturn(false);
Expand Down
2 changes: 2 additions & 0 deletions user_guide_src/source/changelogs/v4.5.2.rst
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ BREAKING
Message Changes
***************

- Added ``Security.insecureCookie`` message.

*******
Changes
*******
Expand Down

0 comments on commit 0a67abd

Please sign in to comment.