From 5d27c43d29fc049497010ea62ac7877a64bfed92 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 8 Mar 2012 12:01:52 +0200 Subject: Fix issue #940 --- system/core/Security.php | 4 ++-- user_guide_src/source/changelog.rst | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/system/core/Security.php b/system/core/Security.php index 6f25fb5bb..2bffa41b7 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -138,8 +138,8 @@ class CI_Security { */ public function csrf_verify() { - // If no POST data exists we will set the CSRF cookie - if (count($_POST) === 0) + // If it's not a POST request we will set the CSRF cookie + if (strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST') { return $this->csrf_set_cookie(); } diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 4c6fd38bc..587c64c5a 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -148,6 +148,7 @@ Bug fixes for 3.0 - Fixed a bug (#64) - Regular expression in DB_active_rec.php failed to handle queries containing SQL bracket delimiters in the join condition. - Fixed a bug in the :doc:`Session Library ` where a PHP E_NOTICE error was triggered by _unserialize() due to results from databases such as MSSQL and Oracle being space-padded on the right. - Fixed a bug (#501) - set_rules() to check if the request method is not 'POST' before aborting, instead of depending on count($_POST) in the :doc:`Form Validation Library `. +- Fixed a bug (#940) - csrf_verify() used to set the CSRF cookie while processing a POST request with no actual POST data, which resulted in validating a request that should be considered invalid. Version 2.1.1 ============= -- cgit v1.2.3-24-g4f1b