Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Return 403 instead of 500 if no CSRF token given #3134

Merged
merged 2 commits into from

2 participants

@kdazzle

Not supplying a CSRF token shouldn't return a 500 response because it isn't a server error. The response status code should definitely be in the 400's, because it's the client's fault. And it should be a 403 because the client is forbidden from making that request without the appropriate credential (the CSRF token), though the request may be otherwise valid.

http://en.wikipedia.org/wiki/List_of_HTTP_status_codes

@kdazzle kdazzle Return 403 instead of 500 if no CSRF token given
Not supplying a CSRF token shouldn't return a 500 response because it isn't a server error. The response status code should definitely be in the 400's, because it's the client's fault. And it should be a 403 because the client is forbidden from making that request without the appropriate credential (the CSRF token), though the request may be otherwise valid.

http://en.wikipedia.org/wiki/List_of_HTTP_status_codes
05fcc09
@narfbg
Owner

Makes sense. Could you add a changelog entry for this and remove the empty line at EOF?

@kdazzle

@narfbg Thanks for the response! I removed that line and stuck an entry under the Security section of the changelog.

@narfbg narfbg merged commit 466af6c into from
@kdazzle kdazzle deleted the branch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jul 6, 2014
  1. @kdazzle

    Return 403 instead of 500 if no CSRF token given

    kdazzle authored
    Not supplying a CSRF token shouldn't return a 500 response because it isn't a server error. The response status code should definitely be in the 400's, because it's the client's fault. And it should be a 403 because the client is forbidden from making that request without the appropriate credential (the CSRF token), though the request may be otherwise valid.
    
    http://en.wikipedia.org/wiki/List_of_HTTP_status_codes
Commits on Jul 13, 2014
  1. @kdazzle
This page is out of date. Refresh to see the latest.
View
2  system/core/Security.php
@@ -275,7 +275,7 @@ public function csrf_set_cookie()
*/
public function csrf_show_error()
{
- show_error('The action you have requested is not allowed.');
+ show_error('The action you have requested is not allowed.', 403);
}
// --------------------------------------------------------------------
View
1  user_guide_src/source/changelog.rst
@@ -506,6 +506,7 @@ Release Date: Not Released
- Added ``$config['csrf_regeneration']``, which makes token regeneration optional.
- Added ``$config['csrf_exclude_uris']``, which allows you list URIs which will not have the CSRF validation methods run.
- Modified method ``sanitize_filename()`` to read a public ``$filename_bad_chars`` property for getting the invalid characters list.
+ - Return status code of 403 instead of a 500 if CSRF protection is enabled but a token is missing from a request.
- :doc:`Language Library <libraries/language>` changes include:
Something went wrong with that request. Please try again.