summaryrefslogtreecommitdiffstats
path: root/system/core/Security.php
diff options
context:
space:
mode:
authorAlex Bilbie <alex.bilbie@gmail.com>2011-08-21 17:14:54 +0200
committerAlex Bilbie <alex.bilbie@gmail.com>2011-08-21 17:14:54 +0200
commitaeb2c3e532e78be9ac78ba6fd4a305b7be31d2ab (patch)
tree91050bc3c6fb7cbcd26c96cc577e60571dedd1a1 /system/core/Security.php
parenta1a8ef711ec179a183a32f6cf4502ddc48782a84 (diff)
Added new config parameter "csrf_exclude_uris" which allows for URIs to be whitelisted from CSRF verification. Fixes #149
Diffstat (limited to 'system/core/Security.php')
-rw-r--r--system/core/Security.php12
1 files changed, 11 insertions, 1 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index 3617cadcc..efd30eb14 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -93,6 +93,16 @@ class CI_Security {
{
return $this->csrf_set_cookie();
}
+
+ // Check if URI has been whitelisted from CSRF checks
+ if ($exclude_uris = config_item('csrf_exclude_uris'))
+ {
+ $uri = load_class('URI', 'core');
+ if (in_array($uri->uri_string(), $exclude_uris))
+ {
+ return $this;
+ }
+ }
// Do the tokens exist in both the _POST and _COOKIE arrays?
if ( ! isset($_POST[$this->_csrf_token_name]) OR
@@ -116,7 +126,7 @@ class CI_Security {
$this->_csrf_set_hash();
$this->csrf_set_cookie();
- log_message('debug', "CSRF token verified ");
+ log_message('debug', "CSRF token verified");
return $this;
}