Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

csrf_verify not work on empty $_POST #940

Closed
harryxu opened this issue Jan 19, 2012 · 2 comments
Closed

csrf_verify not work on empty $_POST #940

harryxu opened this issue Jan 19, 2012 · 2 comments

Comments

@harryxu
Copy link

harryxu commented Jan 19, 2012

If I post a page without any form data, like post admin/user/delete/1, the csrf_verify will not work and the user will be deleted.

May be this line should change to:

if ($_SERVER['REQUEST_METHOD'] == 'GET' && !isset($_COOKIE[$this->_csrf_cookie_name])
@it-can
Copy link
Contributor

it-can commented Mar 7, 2012

how do you do an empty post? If csrf is enabled than it adds a hidden input field to your form, that should be posted...

@harryxu
Copy link
Author

harryxu commented Mar 8, 2012

If Im a attacker, I will write a simple html form page with out any input field, set the form action to http://site.com/admin/user/delete/1.

Then I put the html to my server and send the url to site admin, if the site admin open my url and click the submit button, the csrf will not working and perform the user deletion.

If I put some js to the page make the form submit automatically, when the site admin open the url, who even no need to click the submit button.

narfbg added a commit that referenced this issue Mar 8, 2012
@narfbg
Fix issue #940
5d27c43
@narfbg narfbg closed this as completed Mar 8, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@harryxu @it-can @narfbg