Merge branch 'master' into sync-master-2052.

2026-03-11 18:01:21 +01:00 · 2025-04-26 19:03:07 -04:00
parent 9578380889 7037fd46ab
commit 97a4d711ec
594 changed files with 3603 additions and 1124 deletions
--- a/tests/framework/web/RequestTest.php
+++ b/tests/framework/web/RequestTest.php
@@ -211,7 +211,125 @@ class RequestTest extends TestCase
        }
    }

-    public function testResolve(): void
+    public function testCustomSafeMethodsCsrfTokenValidation()
+    {
+        $this->mockWebApplication();
+
+        $request = new Request();
+        $request->csrfTokenSafeMethods = ['OPTIONS'];
+        $request->enableCsrfCookie = false;
+        $request->enableCsrfValidation = true;
+
+        $token = $request->getCsrfToken();
+
+        // accept any value on custom safe request
+        foreach (['OPTIONS'] as $method) {
+            $_SERVER['REQUEST_METHOD'] = $method;
+            $this->assertTrue($request->validateCsrfToken($token));
+            $this->assertTrue($request->validateCsrfToken($token . 'a'));
+            $this->assertTrue($request->validateCsrfToken([]));
+            $this->assertTrue($request->validateCsrfToken([$token]));
+            $this->assertTrue($request->validateCsrfToken(0));
+            $this->assertTrue($request->validateCsrfToken(null));
+            $this->assertTrue($request->validateCsrfToken());
+        }
+
+        // only accept valid token on other requests
+        foreach (['GET', 'HEAD', 'POST'] as $method) {
+            $_SERVER['REQUEST_METHOD'] = $method;
+            $this->assertTrue($request->validateCsrfToken($token));
+            $this->assertFalse($request->validateCsrfToken($token . 'a'));
+            $this->assertFalse($request->validateCsrfToken([]));
+            $this->assertFalse($request->validateCsrfToken([$token]));
+            $this->assertFalse($request->validateCsrfToken(0));
+            $this->assertFalse($request->validateCsrfToken(null));
+            $this->assertFalse($request->validateCsrfToken());
+        }
+    }
+
+    public function testCsrfHeaderValidation()
+    {
+        $this->mockWebApplication();
+
+        $request = new Request();
+        $request->validateCsrfHeaderOnly = true;
+        $request->enableCsrfValidation = true;
+
+        // only accept valid header on unsafe requests
+        foreach (['GET', 'HEAD', 'POST'] as $method) {
+            $_SERVER['REQUEST_METHOD'] = $method;
+            $request->headers->remove(Request::CSRF_HEADER);
+            $this->assertFalse($request->validateCsrfToken());
+
+            $request->headers->add(Request::CSRF_HEADER, '');
+            $this->assertTrue($request->validateCsrfToken());
+        }
+
+        // accept no value on other requests
+        foreach (['DELETE', 'PATCH', 'PUT', 'OPTIONS'] as $method) {
+            $_SERVER['REQUEST_METHOD'] = $method;
+            $this->assertTrue($request->validateCsrfToken());
+        }
+    }
+
+    public function testCustomHeaderCsrfHeaderValidation()
+    {
+        $this->mockWebApplication();
+
+        $request = new Request();
+        $request->csrfHeader = 'X-JGURDA';
+        $request->validateCsrfHeaderOnly = true;
+        $request->enableCsrfValidation = true;
+
+        // only accept valid header on unsafe requests
+        foreach (['GET', 'HEAD', 'POST'] as $method) {
+            $_SERVER['REQUEST_METHOD'] = $method;
+            $request->headers->remove('X-JGURDA');
+            $this->assertFalse($request->validateCsrfToken());
+
+            $request->headers->add('X-JGURDA', '');
+            $this->assertTrue($request->validateCsrfToken());
+        }
+    }
+
+    public function testCustomUnsafeMethodsCsrfHeaderValidation()
+    {
+        $this->mockWebApplication();
+
+        $request = new Request();
+        $request->csrfHeaderUnsafeMethods = ['POST'];
+        $request->validateCsrfHeaderOnly = true;
+        $request->enableCsrfValidation = true;
+
+        // only accept valid custom header on unsafe requests
+        foreach (['POST'] as $method) {
+            $_SERVER['REQUEST_METHOD'] = $method;
+            $request->headers->remove(Request::CSRF_HEADER);
+            $this->assertFalse($request->validateCsrfToken());
+
+            $request->headers->add(Request::CSRF_HEADER, '');
+            $this->assertTrue($request->validateCsrfToken());
+        }
+
+        // accept no value on other requests
+        foreach (['GET', 'HEAD'] as $method) {
+            $_SERVER['REQUEST_METHOD'] = $method;
+            $request->headers->remove(Request::CSRF_HEADER);
+            $this->assertTrue($request->validateCsrfToken());
+        }
+    }
+
+    public function testNoCsrfTokenCsrfHeaderValidation()
+    {
+        $this->mockWebApplication();
+
+        $request = new Request();
+        $request->validateCsrfHeaderOnly = true;
+
+        $this->assertEquals($request->getCsrfToken(), null);
+    }
+
+    public function testResolve()
    {
        $this->mockWebApplication([
            'components' => [
@@ -444,7 +562,6 @@ class RequestTest extends TestCase
        $_SERVER = [];

        $this->expectException(\yii\base\InvalidConfigException::class);
-
        $request->getScriptUrl();
    }