From aeb2c3e532e78be9ac78ba6fd4a305b7be31d2ab Mon Sep 17 00:00:00 2001
From: Alex Bilbie <alex.bilbie@gmail.com>
Date: Sun, 21 Aug 2011 16:14:54 +0100
Subject: Added new config parameter "csrf_exclude_uris" which allows for URIs
 to be whitelisted from CSRF verification. Fixes #149

---
 system/core/Security.php | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'system/core')

diff --git a/system/core/Security.php b/system/core/Security.php
index 3617cadcc..efd30eb14 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -93,6 +93,16 @@ class CI_Security {
 		{
 			return $this->csrf_set_cookie();
 		}
+		
+		// Check if URI has been whitelisted from CSRF checks
+		if ($exclude_uris = config_item('csrf_exclude_uris'))
+		{
+			$uri = load_class('URI', 'core');
+			if (in_array($uri->uri_string(), $exclude_uris))
+			{
+				return $this;
+			}
+		}
 
 		// Do the tokens exist in both the _POST and _COOKIE arrays?
 		if ( ! isset($_POST[$this->_csrf_token_name]) OR 
@@ -116,7 +126,7 @@ class CI_Security {
 		$this->_csrf_set_hash();
 		$this->csrf_set_cookie();
 
-		log_message('debug', "CSRF token verified ");
+		log_message('debug', "CSRF token verified");
 		
 		return $this;
 	}
-- 
cgit v1.2.3-24-g4f1b