Error202
/
yii2
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

Fixed CSRF token check bypassing in Request::getMethod()

tags/2.0.16
SilverFire - Dmitry Naumenko 6 years ago
parent
d7ffda020b
commit
1e13bfd13d
No known key found for this signature in database
GPG Key ID: 39DD917A92B270A
3 changed files with 25 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      framework/CHANGELOG.md
  2. 7
      framework/web/Request.php
  3. 17
      tests/framework/web/RequestTest.php

2
framework/CHANGELOG.md
Unescape View File

@ -86,6 +86,8 @@ Yii Framework 2 Change Log
- Bug #16828: `yii\console\controllers\MessageController::translator` recognized object' methods and functions calls as identical sets of tokens (erickskrauch)
- Bug #16858: Allow `\yii\console\widgets\Table` to render empty table when headers provided but no columns (damiandziaduch)
- Bug #16897: Fixed `yii\db\sqlite\Schema` missing primary key constraint detection in case of `INTEGER PRIMARY KEY` (bizley)
- Bug: (CVE-2018-14578): Fixed CSRF token check bypassing in `\yii\web\Request::getMethod()` (silverfire)
2.0.15.1 March 21, 2018
-----------------------

7
framework/web/Request.php
Unescape View File

@ -371,7 +371,12 @@ class Request extends \yii\base\Request
*/
public function getMethod()
{
if (isset($_POST[$this->methodParam])) {
if (
isset($_POST[$this->methodParam])
// Never allow to downgrade request from WRITE methods (POST, PATCH, DELETE, etc)
// to read methods (GET, HEAD, OPTIONS) for security reasons.
&& !in_array(strtoupper($_POST[$this->methodParam]), ['GET', 'HEAD', 'OPTIONS'], true)
) {
return strtoupper($_POST[$this->methodParam]);
}

17
tests/framework/web/RequestTest.php
Unescape View File

@ -724,4 +724,21 @@ class RequestTest extends TestCase
$this->assertSame(null, $request->getBodyParam('unexisting'));
$this->assertSame('default', $request->getBodyParam('unexisting', 'default'));
}
/**
* @testWith ["POST", "GET", "POST"]
* ["POST", "OPTIONS", "POST"]
* ["POST", "HEAD", "POST"]
* ["POST", "DELETE", "DELETE"]
* ["POST", "CUSTOM", "CUSTOM"]
*/
public function testRequestMethodCanNotBeDowngraded($requestMethod, $requestOverrideMethod, $expectedMethod)
{
$request = new Request();
$_SERVER['REQUEST_METHOD'] = $requestMethod;
$_POST[$request->methodParam] = $requestOverrideMethod;
$this->assertSame($expectedMethod, $request->getMethod());
}
}

Write Preview
Loading…
Cancel
Save