search

codeigniter4 / CodeIgniter4

Open Source PHP Framework (originally from EllisLab)
https://codeigniter.com/
MIT License
5.3k stars 1.89k forks source link

Bug: TypeError in form_open('') function #8729

Closed bananacoffee closed 5 months ago

bananacoffee commented 5 months ago

PHP Version

8.2

CodeIgniter4 Version

4.5.0

CodeIgniter4 Installation Method

Composer (as dependency to an existing project)

Which operating systems have you tested for this bug?

Windows

Which server did you use?

cli

Database

MariaDB 10.4

What happened?

When CSRF Filter is On. I encountered a TypeError when using the form_open(''). The error message is as follows:

TypeError
str_contains(): Argument #1 ($haystack) must be of type string, CodeIgniter\HTTP\SiteURI given
SYSTEMPATH\Helpers\form_helper.php at line 65

58         }
59 
60         $form = '<form action="' . $action . '"' . $attributes . ">\n";
61 
62         // Add CSRF field if enabled, but leave it out for GET requests and requests to external websites
63         $before = service('filters')->getFilters()['before'];
64 
65         if ((in_array('csrf', $before, true) || array_key_exists('csrf', $before)) && str_contains($action, base_url()) && ! stripos($form, 'method="get"')) {
66             $form .= csrf_field($csrfId ?? null);
67         }
68 
69         foreach ($hidden as $name => $value) {
70             $form .= form_hidden($name, $value);
71         }
72

Debug

// vendor\codeigniter4\framework\system\Helpers\form_helper.php line 65

var_dump(in_array('csrf', $before, true));       // true
var_dump(array_key_exists('csrf', $before));  // false
var_dump(str_contains($action, base_url()));  // error

if ((in_array('csrf', $before, true) || array_key_exists('csrf', $before)) && str_contains($action, base_url()) && !stripos($form, 'method="get"')) {
  $form .= csrf_field($csrfId ?? null);
}

Steps to Reproduce

  1. Upgrade CodeIgniter to 4.5.0 from 4.4.7.
  2. Use the form_open('') function in View.

Expected Output

<form action="current_url" method="post">

Anything else?

This issue did not occur when using CodeIgniter version 4.4.7. Any help on this issue would be greatly appreciated.

datamweb commented 5 months ago

I could not reproduce.

kenjis commented 5 months ago

Cannot reproduce.

bananacoffee commented 5 months ago

@datamweb @kenjis

I was able to confirm the reproducibility. An error occurs when using CSRF filter.

// app\Config\Filters.php line 70
    public array $globals = [
        'before' => [
            // 'honeypot',
            'csrf',
            // 'invalidchars',
        ],
        'after' => [
            'toolbar',
            // 'honeypot',
            // 'secureheaders',
        ],
    ];

Debug

// vendor\codeigniter4\framework\system\Helpers\form_helper.php line 65

var_dump(in_array('csrf', $before, true));       // true
var_dump(array_key_exists('csrf', $before));  // false
var_dump(str_contains($action, base_url()));  // error

if ((in_array('csrf', $before, true) || array_key_exists('csrf', $before)) && str_contains($action, base_url()) && !stripos($form, 'method="get"')) {
  $form .= csrf_field($csrfId ?? null);
}
bananacoffee commented 5 months ago

It works when change it to

str_contains((string)$action, base_url())
kenjis commented 5 months ago

Check #8736

bananacoffee commented 5 months ago

Resolved! thank you.

kenjis commented 5 months ago

No, not yet merged. This issue will be closed automatically when merged.