Permalink
Browse files

Fix issue #1715

  • Loading branch information...
1 parent 05b3877 commit 8f8436080ed60dbd680f2792d475bbed944df78c @narfbg narfbg committed Oct 8, 2012
Showing with 5 additions and 4 deletions.
  1. +4 −4 system/core/Input.php
  2. +1 −0 user_guide/changelog.html
View
@@ -641,8 +641,8 @@ function _sanitize_globals()
$_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);
- // CSRF Protection check
- if ($this->_enable_csrf == TRUE)
+ // CSRF Protection check on HTTP requests
+ if ($this->_enable_csrf == TRUE && $this->is_cli_request())
@it-can

it-can Oct 8, 2012

Contributor

should this not be: ! $this->is_cli_request() ?

@narfbg

narfbg Oct 8, 2012

Contributor

Right ... better go get some coffee. :)
Thanks about this one, commited the fix.

{
$this->security->csrf_verify();
}
@@ -836,11 +836,11 @@ public function is_ajax_request()
*
* Test to see if a request was made from the command line
*
- * @return boolean
+ * @return bool
*/
public function is_cli_request()
{
- return (php_sapi_name() == 'cli') or defined('STDIN');
+ return (php_sapi_name() === 'cli' OR defined('STDIN'));
}
}
@@ -70,6 +70,7 @@
<li>Fixed a bug (#907) - <a href="libraries/input.html">Input Library</a> ignored HTTP_X_CLUSTER_CLIENT_IP and HTTP_X_CLIENT_IP headers when checking for proxies.</li>
<li>Fixed a bug (#940) - <samp>csrf_verify()</samp> used to set the CSRF cookie while processing a POST request with no actual POST data, which resulted in validating a request that should be considered invalid.</li>
<li>Fixed a bug in the <a href="libraries/security.html">Security Library</a> where a CSRF cookie was created even if <samp>$config['csrf_protection']</samp> is set tot FALSE.</li>
+ <li>Fixed a bug (#1715) - <a href="libraries/input.html">Input Library</a> triggered <samp>csrf_verify()</samp> on CLI requests.</li>
</ul>
<h2>Version 2.1.2</h2>

3 comments on commit 8f84360

Contributor

it-can replied Oct 8, 2012

Uuhm, the commit is not showing up when I fetch it... ?

Contributor

narfbg replied Oct 8, 2012

The commit is on 2.1-stable, you're most likely fetching from develop where it will be manually applied later.

Contributor

it-can replied Oct 8, 2012

oooooww... you're right...

Please sign in to comment.