search

balderdashy / sails

Realtime MVC Framework for Node.js
https://sailsjs.com
MIT License
22.85k stars 1.95k forks source link

CSRF is broken in 0.9.7 #1019

Closed kokujin closed 11 years ago

kokujin commented 11 years ago

CSRF is broken in 0.9.7

sgress454 commented 11 years ago

Can you be a bit more detailed about the problem you're seeing?

kokujin commented 11 years ago

POSTing a form with the _csrf parameter causes a 500 error

TypeError: Cannot read property '1' of null at Object.isSameOrigin (/home/voltron/sails/starterapp/node_modules/sails/lib/util/index.js:256:70) at routes.before./* (/home/voltron/sails/starterapp/node_modules/sails/lib/hooks/csrf/index.js:23:60) at _bind.enhancedFn (/home/voltron/sails/starterapp/node_modules/sails/lib/router/bind.js:375:4) ... ...

If I remove the _csrf filed, the POST works. I set the config to true,

module.exports.csrf = true;

On Tue, Oct 22, 2013 at 9:01 PM, sgress454 notifications@github.com wrote:

Can you be a bit more detailed about the problem you're seeing?

— Reply to this email directly or view it on GitHubhttps://github.com/balderdashy/sails/issues/1019#issuecomment-26831564 .

sgress454 commented 11 years ago

See #986. This is fixed in the master branch in Github; hasn't been published to NPM yet.