search

codeigniter4 / CodeIgniter4

Open Source PHP Framework (originally from EllisLab)
https://codeigniter.com/
MIT License
5.4k stars 1.9k forks source link

[Helper] form_open() not insert csrf field #7822

Closed neznaika0 closed 1 year ago

neznaika0 commented 1 year ago

PHP Version

8.2

CodeIgniter4 Version

4.3.7

CodeIgniter4 Installation Method

Composer (using codeigniter4/appstarter)

Which operating systems have you tested for this bug?

Linux

Which server did you use?

cli-server (PHP built-in webserver)

Database

No response

What happened?

See https://forum.codeigniter.com/showthread.php?tid=88247&pid=411790#pid411790 If in app/Config/Filters.php "csrf" have empty array "except" CSRF field not write in HTML. If "except" filled - all work.

Steps to Reproduce

Set "csrf" => ["except" => []] , insert form_open() in template and see source code. csrf field not installed

Expected Output

Insert token if except empty array

Anything else?

No response

kenjis commented 1 year ago

What's wrong with it? What do you mean by ["except" => []]? Why do you need to put empty array?

neznaika0 commented 1 year ago

Because it happened by accident. I'm commenting out the values in except and not the whole array.

kenjis commented 1 year ago

This may be difficult to imagine, but ['except' => []] or ['except' => ''] means "except all". You can check filters with php spark routes. Do you think the behavior is not good for security?

form_open() is no problem. It just checks if CSRF filter is applied or not.

neznaika0 commented 1 year ago

Do you think the behavior is not good for security?

Perhaps. I turned off the protection on the whole project like that) I left home, I'll look at the console in a few days. In my opinion, it is better to delete empty values except. When it [] or " it should mean "apply filter to all without exceptions"

kenjis commented 1 year ago

I certainly don't know why it is behaving that way, but perhaps it has been that way from the beginning.

Maybe it is a dangerous behavior that developers do not expect. It may be better to fix it as a bug.

kenjis commented 1 year ago

Ah, I got why that way. It must be a bug in except.

neznaika0 commented 1 year ago

Great. Just try to understand the phrase "Apply filter X to all routes, but exclude all routes". It looks stupid

kenjis commented 1 year ago

I sent PR #7823 to fix the behavior of Controller Filters.

form_open() is no problem. So I close this issue.