From 36f6ebab7f9e8ff6e76eb56ef5c6bfd23e511b4c Mon Sep 17 00:00:00 2001 From: Qiang Xue Date: Sat, 15 Jun 2013 15:33:27 -0400 Subject: [PATCH] Fixes issue #539: Yii2 Csrf protection broken --- framework/yii/validators/CaptchaValidator.php | 3 +++ framework/yii/web/CaptchaAction.php | 2 +- framework/yii/web/Request.php | 20 +++++++++++--------- 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/framework/yii/validators/CaptchaValidator.php b/framework/yii/validators/CaptchaValidator.php index 01870d3..7721067 100644 --- a/framework/yii/validators/CaptchaValidator.php +++ b/framework/yii/validators/CaptchaValidator.php @@ -21,6 +21,9 @@ use yii\helpers\Html; */ class CaptchaValidator extends Validator { + /** + * @var boolean whether to skip this validator if the input is empty. + */ public $skipOnEmpty = false; /** * @var boolean whether the comparison is case sensitive. Defaults to false. diff --git a/framework/yii/web/CaptchaAction.php b/framework/yii/web/CaptchaAction.php index 53b392d..1e22627 100644 --- a/framework/yii/web/CaptchaAction.php +++ b/framework/yii/web/CaptchaAction.php @@ -173,7 +173,7 @@ class CaptchaAction extends Action { $code = $this->getVerifyCode(); $valid = $caseSensitive ? ($input === $code) : strcasecmp($input, $code) === 0; - $session = Yii::$app->session; + $session = Yii::$app->getSession(); $session->open(); $name = $this->getSessionKey() . 'count'; $session[$name] = $session[$name] + 1; diff --git a/framework/yii/web/Request.php b/framework/yii/web/Request.php index 4f0ff1f..3a16f9e 100644 --- a/framework/yii/web/Request.php +++ b/framework/yii/web/Request.php @@ -27,7 +27,7 @@ class Request extends \yii\base\Request * You may use [[\yii\web\Html::beginForm()]] to generate his hidden input. * @see http://en.wikipedia.org/wiki/Cross-site_request_forgery */ - public $enableCsrfValidation = false; + public $enableCsrfValidation = true; /** * @var string the name of the token used to prevent CSRF. Defaults to 'YII_CSRF_TOKEN'. * This property is effectively only when {@link enableCsrfValidation} is true. @@ -771,7 +771,10 @@ class Request extends \yii\base\Request $this->_cookieValidationKey = $value; } - private $_csrfToken; + /** + * @var Cookie + */ + private $_csrfCookie; /** * Returns the random token used to perform CSRF validation. @@ -781,16 +784,15 @@ class Request extends \yii\base\Request */ public function getCsrfToken() { - if ($this->_csrfToken === null) { - $cookies = $this->getCookies(); - if (($this->_csrfToken = $cookies->getValue($this->csrfTokenName)) === null) { - $cookie = $this->createCsrfCookie(); - $this->_csrfToken = $cookie->value; - $cookies->add($cookie); + if ($this->_csrfCookie === null) { + $this->_csrfCookie = $this->getCookies()->get($this->csrfTokenName); + if ($this->_csrfCookie === null) { + $this->_csrfCookie = $this->createCsrfCookie(); + Yii::$app->getResponse()->getCookies()->add($this->_csrfCookie); } } - return $this->_csrfToken; + return $this->_csrfCookie->value; } /**