Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 33b15b6888
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if ($request->isMethod('GET') || $request->isMethod('HEAD') || $request->isMethod('OPTIONS')) { | ||
| return null; |
There was a problem hiding this comment.
When an uninstalled instance is reachable over the network, this now allows any remote client through the installer because GET/HEAD/OPTIONS return immediately and the removed local/setup-token check no longer runs. CSRF does not replace that guard here: a remote user can first load /install and receive the installer page with its CSRF token, then submit the setup forms. This regresses the previous restriction to local requests or FLUTE_INSTALLER_SETUP_TOKEN-authorized sessions.
Useful? React with 👍 / 👎.
1 participant
No description provided.