Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: check for CSRF token in the raw body #7915

Merged
merged 7 commits into from
Sep 18, 2023
Merged

fix: check for CSRF token in the raw body #7915

merged 7 commits into from
Sep 18, 2023

Conversation

michalsn
Copy link
Member

@michalsn michalsn commented Sep 9, 2023

Description
CSRF check for PUT, PATCH, and DELETE type of requests is made only for JSON data. This PR fixes that by adding the raw input data to check.

Checklist:

  • Securely signed commits
  • Component(s) with PHPDoc blocks, only if necessary or adds value
  • Unit testing, with >80% coverage
  • User guide updated
  • Conforms to style guide

@michalsn michalsn force-pushed the fix/security branch 2 times, most recently from bc4b54e to 1481461 Compare September 9, 2023 19:14
@michalsn michalsn mentioned this pull request Sep 9, 2023
Merged
MGatner
MGatner reviewed Sep 12, 2023
View reviewed changes
Copy link
Member

@MGatner MGatner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good pending Kenjis comments.

@michalsn
Copy link
Member Author

I have no idea what the PHPStan error means because every occurrence of empty was removed from the file, even though I did not change that particular part of the code.

@paulbalandan
Copy link
Member

@michalsn run vendor/bin/phpstan analyse --generate-baseline phpstan-baseline.php

@michalsn
Copy link
Member Author

@paulbalandan Thanks!

kenjis
kenjis approved these changes Sep 15, 2023
View reviewed changes
Copy link
Member

@kenjis kenjis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@kenjis kenjis merged commit e90be66 into codeigniter4:develop Sep 18, 2023
60 of 61 checks passed
@kenjis kenjis added the enhancement PRs that improve existing functionalities label Sep 18, 2023
@michalsn michalsn mentioned this pull request Oct 20, 2023
Merged
@michalsn michalsn deleted the fix/security branch November 13, 2023 07:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MGatner MGatner MGatner left review comments

@samsonasik samsonasik samsonasik left review comments

@kenjis kenjis kenjis approved these changes

Assignees
No one assigned
Labels
enhancement PRs that improve existing functionalities
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@michalsn @paulbalandan @kenjis @samsonasik @MGatner