codeigniter4 / CodeIgniter4

Open Source PHP Framework (originally from EllisLab)
https://codeigniter.com/
MIT License
5.4k stars 1.9k forks source link

Bug: Filters methods Property Overrides globals Property #8115

Closed donpwinston closed 1 year ago

donpwinston commented 1 year ago

PHP Version

8.1

CodeIgniter4 Version

4.4.3

CodeIgniter4 Installation Method

Composer (using codeigniter4/appstarter)

Which operating systems have you tested for this bug?

Linux

Which server did you use?

apache

Database

No response

What happened?

When I configure the csrf filter in app/Config/Filters.php like this:

$globals = [
     'before' => [
          'csrf' => ['except' => ['receive-pdf', 'receive_pdf']],
          'host',
   ],...
]
$methods = [ 'post'  => ['csrf'],];

The $methods property seems to override the globals property for csrf. The "except" specification no longer works.

Steps to Reproduce

Specify a 'except' url in the globals property for a csrf filter. Also set the method property to limit the csrf filter to 'post'.

Expected Output

The post to the except url should not require a csrf token.

Anything else?

No response

donpwinston commented 1 year ago

Not sure why csrf would be used in a "get" request to begin with.

kenjis commented 1 year ago

To use auto-generation of CSRF field, you need to turn CSRF filter on to the form page. In most cases it is requested using the GET method. https://codeigniter4.github.io/CodeIgniter4/libraries/security.html#html-forms

kenjis commented 1 year ago

The post to the except url should not require a csrf token.

Why do you think so? It is not implemented that way.

Globals and methods are separate filters. except in globals excepts only globals filters.

You specify the csrf filter to all POST request, so the csrf filter blocks the request.

kenjis commented 1 year ago

This is not a bug but a misunderstanding of filter behavior.