summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xsystem/core/Security.php4
-rw-r--r--user_guide_src/source/changelog.rst1
2 files changed, 3 insertions, 2 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index 6f25fb5bb..2bffa41b7 100755
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -138,8 +138,8 @@ class CI_Security {
*/
public function csrf_verify()
{
- // If no POST data exists we will set the CSRF cookie
- if (count($_POST) === 0)
+ // If it's not a POST request we will set the CSRF cookie
+ if (strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST')
{
return $this->csrf_set_cookie();
}
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 4c6fd38bc..587c64c5a 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -148,6 +148,7 @@ Bug fixes for 3.0
- Fixed a bug (#64) - Regular expression in DB_active_rec.php failed to handle queries containing SQL bracket delimiters in the join condition.
- Fixed a bug in the :doc:`Session Library <libraries/sessions>` where a PHP E_NOTICE error was triggered by _unserialize() due to results from databases such as MSSQL and Oracle being space-padded on the right.
- Fixed a bug (#501) - set_rules() to check if the request method is not 'POST' before aborting, instead of depending on count($_POST) in the :doc:`Form Validation Library <libraries/form_validation>`.
+- Fixed a bug (#940) - csrf_verify() used to set the CSRF cookie while processing a POST request with no actual POST data, which resulted in validating a request that should be considered invalid.
Version 2.1.1
=============