Browse Source

Fixed CSRF validation bug.

tags/2.0.0-beta
Qiang Xue 11 years ago
parent
commit
4f555a5751
  1. 5
      framework/yii/web/Controller.php
  2. 11
      framework/yii/web/Request.php

5
framework/yii/web/Controller.php

@ -73,7 +73,10 @@ class Controller extends \yii\base\Controller
public function beforeAction($action)
{
if (parent::beforeAction($action)) {
return !$this->enableCsrfValidation || Yii::$app->getRequest()->validateCsrfToken();
if ($this->enableCsrfValidation && !Yii::$app->getRequest()->validateCsrfToken()) {
throw new HttpException(400, Yii::t('yii', 'Unable to verify your data submission.'));
}
return true;
} else {
return false;
}

11
framework/yii/web/Request.php

@ -1023,12 +1023,12 @@ class Request extends \yii\base\Request
* The method will compare the CSRF token obtained from a cookie and from a POST field.
* If they are different, a CSRF attack is detected and a 400 HTTP exception will be raised.
* This method is called in [[Controller::beforeAction()]].
* @throws HttpException if the validation fails
* @return boolean whether CSRF token is valid. If [[enableCsrfValidation]] is false, this method will return true.
*/
public function validateCsrfToken()
{
if (!$this->enableCsrfValidation) {
return;
return true;
}
$method = $this->getMethod();
if ($method === 'POST' || $method === 'PUT' || $method === 'PATCH' || $method === 'DELETE') {
@ -1047,10 +1047,9 @@ class Request extends \yii\base\Request
$token = $this->getDelete($this->csrfVar);
}
$valid = !empty($token) && $token === $trueToken || $this->getCsrfTokenFromHeader() === $trueToken;
if (!$valid) {
throw new HttpException(400, Yii::t('yii', 'Unable to verify your data submission.'));
}
return !empty($token) && $token === $trueToken || $this->getCsrfTokenFromHeader() === $trueToken;
} else {
return true;
}
}
}

Loading…
Cancel
Save