From 05fcc09436c0c34cc5883d7840abc81ad5af7969 Mon Sep 17 00:00:00 2001 From: Kyle Valade Date: Sun, 6 Jul 2014 13:43:20 -0700 Subject: Return 403 instead of 500 if no CSRF token given Not supplying a CSRF token shouldn't return a 500 response because it isn't a server error. The response status code should definitely be in the 400's, because it's the client's fault. And it should be a 403 because the client is forbidden from making that request without the appropriate credential (the CSRF token), though the request may be otherwise valid. http://en.wikipedia.org/wiki/List_of_HTTP_status_codes --- system/core/Security.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index c4621d588..f1802f0c4 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -275,7 +275,7 @@ class CI_Security { */ public function csrf_show_error() { - show_error('The action you have requested is not allowed.'); + show_error('The action you have requested is not allowed.', 403); } // -------------------------------------------------------------------- @@ -934,4 +934,4 @@ class CI_Security { } /* End of file Security.php */ -/* Location: ./system/core/Security.php */ \ No newline at end of file +/* Location: ./system/core/Security.php */ -- cgit v1.2.3-24-g4f1b From 2761ff49f406d43c749ea87f7d5ebd4e2b7c3197 Mon Sep 17 00:00:00 2001 From: Kyle Valade Date: Sun, 13 Jul 2014 16:11:19 -0700 Subject: Add changelog entry for CSRF status code; remove line at EOF --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index f1802f0c4..68e345c54 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -934,4 +934,4 @@ class CI_Security { } /* End of file Security.php */ -/* Location: ./system/core/Security.php */ +/* Location: ./system/core/Security.php */ \ No newline at end of file -- cgit v1.2.3-24-g4f1b