Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for issue #149: CSRF protection URI whitelisting #236

Merged
merged 5 commits into from
Aug 25, 2011
Merged

Fix for issue #149: CSRF protection URI whitelisting #236

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
95311be
Renamed some Session library functions to make them shorter. Includes…
alexbilbie Aug 20, 2011
a1a8ef7
Revert 43194ea1af658914a89ca49aed4dca4617b9c4ff^..HEAD
alexbilbie Aug 21, 2011
aeb2c3e
Added new config parameter "csrf_exclude_uris" which allows for URIs …
alexbilbie Aug 21, 2011
87c74c8
Updated Security library documentation with details on how to whiteli…
alexbilbie Aug 21, 2011
6a93995
Added note in changelog
alexbilbie Aug 24, 2011
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions application/config/config.php
View file
Open in desktop
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -292,11 +292,13 @@
| 'csrf_token_name' = The token name | 'csrf_token_name' = The token name
| 'csrf_cookie_name' = The cookie name | 'csrf_cookie_name' = The cookie name
| 'csrf_expire' = The number in seconds the token should expire. | 'csrf_expire' = The number in seconds the token should expire.
| 'csrf_exclude_uris' = Array of URIs which ignore CSRF checks
*/ */
$config['csrf_protection'] = FALSE; $config['csrf_protection'] = FALSE;
$config['csrf_token_name'] = 'csrf_test_name'; $config['csrf_token_name'] = 'csrf_test_name';
$config['csrf_cookie_name'] = 'csrf_cookie_name'; $config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200; $config['csrf_expire'] = 7200;
$config['csrf_exclude_uris'] = array();


/* /*
|-------------------------------------------------------------------------- |--------------------------------------------------------------------------
Expand Down
12 changes: 11 additions & 1 deletion system/core/Security.php
View file
Open in desktop
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -93,6 +93,16 @@ public function csrf_verify()
{ {
return $this->csrf_set_cookie(); return $this->csrf_set_cookie();
} }

// Check if URI has been whitelisted from CSRF checks
if ($exclude_uris = config_item('csrf_exclude_uris'))
{
$uri = load_class('URI', 'core');
if (in_array($uri->uri_string(), $exclude_uris))
{
return $this;
}
}


// Do the tokens exist in both the _POST and _COOKIE arrays? // Do the tokens exist in both the _POST and _COOKIE arrays?
if ( ! isset($_POST[$this->_csrf_token_name]) OR if ( ! isset($_POST[$this->_csrf_token_name]) OR
Expand All @@ -116,7 +126,7 @@ public function csrf_verify()
$this->_csrf_set_hash(); $this->_csrf_set_hash();
$this->csrf_set_cookie(); $this->csrf_set_cookie();


log_message('debug', "CSRF token verified "); log_message('debug', "CSRF token verified");


return $this; return $this;
} }
Expand Down
1 change: 1 addition & 0 deletions user_guide/changelog.html
View file
Open in desktop
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ <h2>Version 2.0.3</h2>
<li>Visual updates to the welcome_message view file and default error templates. Thanks to <a href="https://bitbucket.org/danijelb">danijelb</a> for the pull request.</li> <li>Visual updates to the welcome_message view file and default error templates. Thanks to <a href="https://bitbucket.org/danijelb">danijelb</a> for the pull request.</li>
<li class="reactor">Added <samp>insert_batch()</samp> function to the PostgreSQL database driver. Thanks to epallerols for the patch.</li> <li class="reactor">Added <samp>insert_batch()</samp> function to the PostgreSQL database driver. Thanks to epallerols for the patch.</li>
<li class="reactor">Added "application/x-csv" to mimes.php.</li> <li class="reactor">Added "application/x-csv" to mimes.php.</li>
<li class="reactor">Added CSRF protection URI whitelisting.</li>
<li>Fixed a bug where <a href="libraries/email.html">Email library</a> attachments with a "." in the name would using invalid MIME-types.</li> <li>Fixed a bug where <a href="libraries/email.html">Email library</a> attachments with a "." in the name would using invalid MIME-types.</li>
</ul> </ul>
</li> </li>
Expand Down
3 changes: 3 additions & 0 deletions user_guide/libraries/security.html
View file
Open in desktop
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -116,6 +116,9 @@ <h2>Cross-site request forgery (CSRF)</h2>


<p>If you use the <a href="../helpers/form_helper.html">form helper</a> the <var>form_open()</var> function will automatically insert a hidden csrf field in your forms.</p> <p>If you use the <a href="../helpers/form_helper.html">form helper</a> the <var>form_open()</var> function will automatically insert a hidden csrf field in your forms.</p>


<p>Select URIs can be whitelisted from csrf protection (for example API endpoints expecting externally POSTed content). You can add these URIs by editing the 'csrf_exclude_uris' config parameter:</p>
<code>$config['csrf_exclude_uris'] = array('api/person/add');</code>

</div> </div>
<!-- END CONTENT --> <!-- END CONTENT -->


Expand Down