diff options
author | Alex Bilbie <alex.bilbie@gmail.com> | 2011-08-21 17:14:54 +0200 |
---|---|---|
committer | Alex Bilbie <alex.bilbie@gmail.com> | 2011-08-21 17:14:54 +0200 |
commit | aeb2c3e532e78be9ac78ba6fd4a305b7be31d2ab (patch) | |
tree | 91050bc3c6fb7cbcd26c96cc577e60571dedd1a1 /system | |
parent | a1a8ef711ec179a183a32f6cf4502ddc48782a84 (diff) |
Added new config parameter "csrf_exclude_uris" which allows for URIs to be whitelisted from CSRF verification. Fixes #149
Diffstat (limited to 'system')
-rw-r--r-- | system/core/Security.php | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index 3617cadcc..efd30eb14 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -93,6 +93,16 @@ class CI_Security { { return $this->csrf_set_cookie(); } + + // Check if URI has been whitelisted from CSRF checks + if ($exclude_uris = config_item('csrf_exclude_uris')) + { + $uri = load_class('URI', 'core'); + if (in_array($uri->uri_string(), $exclude_uris)) + { + return $this; + } + } // Do the tokens exist in both the _POST and _COOKIE arrays? if ( ! isset($_POST[$this->_csrf_token_name]) OR @@ -116,7 +126,7 @@ class CI_Security { $this->_csrf_set_hash(); $this->csrf_set_cookie(); - log_message('debug', "CSRF token verified "); + log_message('debug', "CSRF token verified"); return $this; } |