search

yiisoft / yii2

Yii 2: The Fast, Secure and Professional PHP Framework
http://www.yiiframework.com
BSD 3-Clause "New" or "Revised" License
14.23k stars 6.92k forks source link

Tons of yii\web\BadRequestHttpException: Unable to verify your data submission #18514

Closed PELock closed 3 years ago

PELock commented 3 years ago

What steps will reproduce the problem?

I got tons of yii\web\BadRequestHttpException: Unable to verify your data submission in my logs since the latest updates, what is going on?

Additional info

2021-02-12 00:59:16 [176.59.73.204][-][-][error][yii\web\HttpException:400] yii\web\BadRequestHttpException: Unable to verify your data submission. in /home/pelock/www/public_html/pelock.com/vendor/yiisoft/yii2/web/Controller.php:209
Stack trace:
#0 /home/pelock/www/public_html/pelock.com/vendor/yiisoft/yii2/base/Controller.php(179): yii\web\Controller->beforeAction()
#1 /home/pelock/www/public_html/pelock.com/vendor/yiisoft/yii2/base/Module.php(534): yii\base\Controller->runAction()
#2 /home/pelock/www/public_html/pelock.com/vendor/yiisoft/yii2/web/Application.php(104): yii\base\Module->runAction()
#3 /home/pelock/www/public_html/pelock.com/vendor/yiisoft/yii2/base/Application.php(392): yii\web\Application->handleRequest()
#4 /home/pelock/www/public_html/pelock.com/frontend/web/index.php(20): yii\base\Application->run()

The exception is thrown at:

    /**
     * {@inheritdoc}
     */
    public function beforeAction($action)
    {
        if (parent::beforeAction($action)) {
            if ($this->enableCsrfValidation && Yii::$app->getErrorHandler()->exception === null && !$this->request->validateCsrfToken()) {
                throw new BadRequestHttpException(Yii::t('yii', 'Unable to verify your data submission.'));
            }

            return true;
        }

        return false;
    }

My config:

$config = [
    'components' => [

        'session' => [
            'cookieParams' => [
                'httpOnly' => true,
                'secure' => true,
                'sameSite' => yii\web\Cookie::SAME_SITE_STRICT
            ]
        ],

        'request' => [
            // !!! insert a secret key in the following (if it is empty) - this is required by cookie validation
            'cookieValidationKey' => 'XXX',

            'csrfCookie' => [
                'httpOnly' => true,
                'secure' => true,
                'sameSite' => yii\web\Cookie::SAME_SITE_STRICT
            ],
        ],
    ],
];

But why now, after the update??? I know Chrome 88 rolled out, but is it related?

I'm looking at the logs right now, check this out:

2021-02-12 00:59:16 [XXX][-][-][error][yii\web\HttpException:400] yii\web\BadRequestHttpException: Unable to verify your data submission. in /home/pelock/www/public_html/pelock.com/vendor/yiisoft/yii2/web/Controller.php:209
Stack trace:
#0 /home/pelock/www/public_html/pelock.com/vendor/yiisoft/yii2/base/Controller.php(179): yii\web\Controller->beforeAction()
#1 /home/pelock/www/public_html/pelock.com/vendor/yiisoft/yii2/base/Module.php(534): yii\base\Controller->runAction()
#2 /home/pelock/www/public_html/pelock.com/vendor/yiisoft/yii2/web/Application.php(104): yii\base\Module->runAction()
#3 /home/pelock/www/public_html/pelock.com/vendor/yiisoft/yii2/base/Application.php(392): yii\web\Application->handleRequest()
#4 /home/pelock/www/public_html/pelock.com/frontend/web/index.php(20): yii\base\Application->run()
#5 {main}
2021-02-12 00:59:16 [XXX][-][-][info][application] $_GET = [
    'group' => 'products'
    'name' => 'hash-calculator'
]

$_POST = [
    '_csrf' => 'KDXpDuKdX9Ad-jgo9oVQmiZC8jnf9nSD2qFZ6fKHUZl8ftk8g_AFmnStbE2C4RqiFQuYCeqROLqS7xCwmuMnzA=='
    'HashCalculatorForm' => [
        'value' => 'df24f3f8b8ec46f5857f547ff05584fa

'
        'crlf' => '1'
    ]
    'calculate-hash' => ''
]

$_FILES = []

$_COOKIE = []

$_SERVER = [
    'USER' => 'pelock'
    'HOME' => '/home/pelock'
    'HTTP_ACCEPT_LANGUAGE' => 'ru-RU,en-US;q=0.9'
    'HTTP_ACCEPT_ENCODING' => 'gzip, deflate'
    'HTTP_REFERER' => 'https://www.pelock.com/products/hash-calculator'
    'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8'
    'HTTP_USER_AGENT' => 'Mozilla/5.0 (Linux; U; Android 10; ru-ru; Redmi Note 9S Build/QKQ1.191215.002) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.6.2-gn'
    'HTTP_CONTENT_TYPE' => 'application/x-www-form-urlencoded'
    'HTTP_UPGRADE_INSECURE_REQUESTS' => '1'
    'HTTP_ORIGIN' => 'null'
    'HTTP_CACHE_CONTROL' => 'max-age=0'
    'HTTP_CONTENT_LENGTH' => '251'
    'HTTP_HOST' => 'www.pelock.com'
    'SCRIPT_FILENAME' => '/home/pelock/www/public_html/pelock.com/frontend/web/index.php'
    'REDIRECT_STATUS' => '200'
    'SERVER_NAME' => 'www.pelock.com'
    'SERVER_PORT' => '443'
    'SERVER_ADDR' => 'XXX'
    'REMOTE_PORT' => 'XXX'
    'REMOTE_ADDR' => 'XXX'
    'SERVER_SOFTWARE' => 'nginx/1.19.6'
    'GATEWAY_INTERFACE' => 'CGI/1.1'
    'HTTPS' => 'on'
    'REQUEST_SCHEME' => 'https'
    'SERVER_PROTOCOL' => 'HTTP/2.0'
    'DOCUMENT_ROOT' => '/home/pelock/www/public_html/pelock.com/frontend/web'
    'DOCUMENT_URI' => '/index.php'
    'REQUEST_URI' => '/products/hash-calculator'
    'SCRIPT_NAME' => '/index.php'
    'CONTENT_LENGTH' => '251'
    'CONTENT_TYPE' => 'application/x-www-form-urlencoded'
    'REQUEST_METHOD' => 'POST'
    'QUERY_STRING' => ''
    'FCGI_ROLE' => 'RESPONDER'
    'PHP_SELF' => '/index.php'
    'REQUEST_TIME_FLOAT' => 1613091556.1384
    'REQUEST_TIME' => 1613091556
]

The cookies array is empty... But in other entries it's not:

2021-02-12 11:35:20 [XXX][-][-][error][yii\web\HttpException:400] yii\web\BadRequestHttpException: Unable to verify your data submission. in /home/pelock/www/public_html/pelock.com/vendor/yiisoft/yii2/web/Controller.php:209
Stack trace:
#0 /home/pelock/www/public_html/pelock.com/vendor/yiisoft/yii2/base/Controller.php(179): yii\web\Controller->beforeAction()
#1 /home/pelock/www/public_html/pelock.com/vendor/yiisoft/yii2/base/Module.php(534): yii\base\Controller->runAction()
#2 /home/pelock/www/public_html/pelock.com/vendor/yiisoft/yii2/web/Application.php(104): yii\base\Module->runAction()
#3 /home/pelock/www/public_html/pelock.com/vendor/yiisoft/yii2/base/Application.php(392): yii\web\Application->handleRequest()
#4 /home/pelock/www/public_html/pelock.com/frontend/web/index.php(20): yii\base\Application->run()
#5 {main}
2021-02-12 11:35:20 [XXX][-][-][info][application] $_GET = []

$_POST = [
    '_csrf' => 'NoE5_KkQkpYs3ekiJlJfqabEjeieVUNb58KlqtPMavFn92y4nFPd2BuEoBQXYHKY6ozq0Kg4cC2znffTl_QDtA=='
    'CheckoutForm' => [
        'name' => '...'
    ]
]

$_FILES = []

$_COOKIE = [
    'crisp-client%2Fsession%2F022e663c-63c0-43f9-aea2-2d2215e75e4a' => 'session_7af7b028-74d0-4885-baf1-16f54ac79077'
    'PHPSESSID' => '5c8r8j250dj9v21ljf1v79et1a'
    '_csrf' => '36635741d3e942ee64945ae2f085a5092ddfa552c3f6531af675a3758cf3e9fda:2:{i:0;s:5:\"_csrf\";i:1;s:32:\"phNVEwgHG_kPoAtyoXAxvgh8uLzS1OiG\";}'
]
Q A
Yii version 2.0.40
PHP version 7.4.14
Operating system Debian 10
PELock commented 3 years ago

I give up... still ton of unable to verify the submission errors, so it's not secure nor csrfParam name issue.

What more can I do to find the reason behind this?

nareka88 commented 3 years ago

Well, no, by default it's _csrf and changing it should not affect the normal behavior but... since it looks like we tried everything we could think of trying to fix the problem, we can try this as well. Let us know @PELock

did you specify seperate path for your backend and frontend part?

i think because your app hase 2 part ( frontend and backend ) you should set path for each one .

try to add path for each one. the base path that u can access it.

@nareka88

PELock commented 3 years ago

Hmm, I have noticed something.

The official advanced theme from 2.0.13 has this thing in headers

https://github.com/yiisoft/yii2-app-advanced/blob/master/frontend/views/layouts/main.php

<head>
    <meta charset="<?= Yii::$app->charset ?>">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <?php $this->registerCsrfMetaTags() ?>
    <title><?= Html::encode($this->title) ?></title>
    <?php $this->head() ?>
</head>

but I'm using the old template from some older advanced theme and it looks like this:

<head>
    <meta charset="<?= Yii::$app->charset ?>">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <meta name="referrer" content="<?php if (empty($this->params["referrer"])) { ?>unsafe-url<?php } else { ?><?= $this->params["referrer"] ?><?php } ?>">
    <?= Html::csrfMetaTags() ?>

    <title><?= Html::encode($this->title) ?></title>

    <link rel="preconnect" href="https://translate.google.com" crossorigin>
    <link rel="preconnect" href="https://fonts.googleapis.com" crossorigin>
    <link rel="preload" href="/css/bootstrap/fonts/icomoon.ttf?wkc5aa" as="font" as="font" type="font/ttf" crossorigin>

    <link rel="alternate" hreflang="x-default" href="<?= BaseUrl::to($mirrorLinks['en'], true) ?>">
    <link rel="alternate" hreflang="en" href="<?= BaseUrl::to($mirrorLinks['en'], true) ?>">
    <link rel="alternate" hreflang="pl" href="<?= BaseUrl::to($mirrorLinks['pl'], true) ?>">

    <link rel="icon" href="/img/favicons/<?php if (YII_ENV_PROD) { ?>favicon.ico<?php } else { ?>favicon-green.ico<?php } ?>">
    <link rel="apple-touch-icon" href="/img/apple-touch-icon.png">
    <link rel="apple-touch-icon-precomposed" href="/img/favicons/apple-touch-icon-precomposed.png">
    <link rel="apple-touch-icon-precomposed" sizes="120x120" href="/img/favicons/apple-touch-icon-120x120-precomposed.png">

    <script type="text/javascript">window.$crisp=[];window.CRISP_WEBSITE_ID="022e663c-63c0-43f9-aea2-2d2215e75e4a";(function(){d=document;s=d.createElement("script");s.src="https://client.crisp.chat/l.js";s.async=1;d.getElementsByTagName("head")[0].appendChild(s);})();</script>
    <?php $this->head() ?>

I will try to replace

    <?= Html::csrfMetaTags() ?>

with 

    <?php $this->registerCsrfMetaTags() ?>

and let you know.

PELock commented 3 years ago

Nah, still errors.

PELock commented 3 years ago

Well, no, by default it's _csrf and changing it should not affect the normal behavior but... since it looks like we tried everything we could think of trying to fix the problem, we can try this as well. Let us know @PELock

did you specify seperate path for your backend and frontend part?

i think because your app hase 2 part ( frontend and backend ) you should set path for each one .

try to add path for each one. the base path that u can access it.

@nareka88

I don't experience any problems in my backend and the path you set in your configuration is the default value anyway:

https://www.yiiframework.com/doc/api/2.0/yii-web-cookie#$path-detail

So it's not a solution to this problem.

I think it could be some kind of cookie blocking on the user side, but I'm not sure why or when.