Merge pull request #1850 from MGatner/secure-routable-controller-methods

Secure routable controller methods
codeigniter4 · Mar 26, 2019 · b5c3f18 · b5c3f18
2 parents e73d3c3 + a56bfdf
commit b5c3f18
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 5 deletions.
diff --git a/system/Config/Routes.php b/system/Config/Routes.php
@@ -57,3 +57,9 @@
 
 // CLI Catchall - uses a _remap to call Commands
 $routes->cli('ci(:any)', '\CodeIgniter\CLI\CommandRunner::index/$1');
+
+// Prevent access to initController method
+$routes->add('(:any)/initController', function()
+{
+    throw \CodeIgniter\Exceptions\PageNotFoundException::forPageNotFound();
+}); 
diff --git a/system/Controller.php b/system/Controller.php
@@ -138,7 +138,7 @@ public function initController(RequestInterface $request, ResponseInterface $res
 	 *
 	 * @throws \CodeIgniter\HTTP\Exceptions\HTTPException
 	 */
-	public function forceHTTPS(int $duration = 31536000)
+	protected function forceHTTPS(int $duration = 31536000)
 	{
 		force_https($duration, $this->request, $this->response);
 	}
@@ -151,7 +151,7 @@ public function forceHTTPS(int $duration = 31536000)
 	 *
 	 * @param integer $time
 	 */
-	public function cachePage(int $time)
+	protected function cachePage(int $time)
 	{
 		CodeIgniter::cache($time);
 	}
@@ -185,7 +185,7 @@ protected function loadHelpers()
 	 *
 	 * @return boolean
 	 */
-	public function validate($rules, array $messages = []): bool
+	protected function validate($rules, array $messages = []): bool
 	{
 		$this->validator = Services::validation();
 

diff --git a/tests/system/ControllerTest.php b/tests/system/ControllerTest.php
@@ -87,7 +87,8 @@ public function testCachePage()
 		$this->controller = new Controller();
 		$this->controller->initController($this->request, $this->response, $this->logger);
 
-		$this->assertNull($this->controller->cachePage(10));
+		$method = $this->getPrivateMethodInvoker($this->controller, 'cachePage');
+		$this->assertNull($method(10));
 	}
 
 	public function testValidate()
@@ -97,7 +98,8 @@ public function testValidate()
 		$this->controller->initController($this->request, $this->response, $this->logger);
 
 		// and that we can attempt validation, with no rules
-		$this->assertFalse($this->controller->validate([]));
+		$method = $this->getPrivateMethodInvoker($this->controller, 'validate');
+		$this->assertFalse($method([]));
 	}
 
 	//--------------------------------------------------------------------