search

codeigniter4 / CodeIgniter4

Open Source PHP Framework (originally from EllisLab)
https://codeigniter.com/
MIT License
5.4k stars 1.9k forks source link

CSRF Filter redirect back not working #2395

Closed crustamet closed 5 years ago

crustamet commented 5 years ago

Im asking about this because i am not sure if it is a bug or i am doing something wrong with the csrf or not doing.

I have this setup. public $CSRFRegenerate = true; public $CSRFRedirect = true;

i have enabled the filter csrf to be available in the global before.

I have created this routes


    $routes->group('contact', ['namespace' => 'App\Controllers'], function($routes)
    {
        $routes->get('/', 'Front/Contact::index');
        $routes->post('add_contact', 'Front/Contact::contact');
    });

i have created this controller Contact with methods index() and contact()


    public function contact()
    {
        print_r($this->request->getPost());die();

        echo 'noice';exit;
    }

i have the project inside a folder named projects /projects/ci4 - codeigniter 4 project

and the index page /projects/ci4index with htaccess

So until now everything works perfectly, i intended this error to happen to see what it does.

I DID NOT put the CSRF token inside the form, to let codeigniter REDIRECT BACK. But when this happens with this code from the CSRF Filter

$security = Services::security();


    try
    {
        $security->CSRFVerify($request);
    }
    catch (SecurityException $e)
    {
        if (config('App')->CSRFRedirect && ! $request->isAJAX())
        {
            return redirect()->back()->with('error', $e->getMessage());
        }

        throw $e;
    }

The problem here is i get redirected back on an inexistent page. From url : projects.domain/ci4index/contact To url : projects.domain/contact

I think here it should go back to projects.domain/ci4index/contact right ?

This is a problem right ?

crustamet commented 5 years ago

i found the problem for some reason the value of $_SESSION['_ci_previous_url'] is projects.domain/contact

where this variable is set in the project ? oO

lonnieezell commented 5 years ago

This is a known bug with the url helper methods when serving the site in a sub-folder. It's being worked on but one of the cases gets a bit tricky and I'm trying to track it down.

So - yes, it's a bug. But not with CSRF, it's with the base_url() and/or site_url() helpers and how IncomingRequest interprets the original URI when in a sub-folder.

crustamet commented 5 years ago

Ok after you close this man please tell me in this file https://github.com/codeigniter4/CodeIgniter4/blob/develop/system/HTTP/IncomingRequest.php#L719

What exactly $parts = parse_url('http://dummy' . $_SERVER['REQUEST_URI']); want to do here ?

Because of this i was digging in and i found this problem maybe related to solve this issue trough this line ?

I was just thinking and really i have nothing to explain this. what is the reason behind the http dummy xD ?