Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF Filter redirect back not working #2395

Closed
crustamet opened this issue Nov 12, 2019 · 3 comments
Closed

CSRF Filter redirect back not working #2395

crustamet opened this issue Nov 12, 2019 · 3 comments
Labels
bug Verified issues on the current code behavior or pull requests that will fix them

Comments

@crustamet
Copy link
Contributor

crustamet commented Nov 12, 2019
edited by kenjis
Loading

Im asking about this because i am not sure if it is a bug or i am doing something wrong with the csrf or not doing.

I have this setup.
public $CSRFRegenerate = true;
public $CSRFRedirect = true;

i have enabled the filter csrf to be available in the global before.

I have created this routes

	$routes->group('contact', ['namespace' => 'App\Controllers'], function($routes)
	{
		$routes->get('/', 'Front/Contact::index');
		$routes->post('add_contact', 'Front/Contact::contact');
	});

i have created this controller Contact with methods index() and contact()

	public function contact()
	{
		print_r($this->request->getPost());die();

		echo 'noice';exit;
	}

i have the project inside a folder named projects
/projects/ci4 - codeigniter 4 project

and the index page
/projects/ci4index with htaccess

So until now everything works perfectly, i intended this error to happen to see what it does.

I DID NOT put the CSRF token inside the form, to let codeigniter REDIRECT BACK.
But when this happens with this code from the CSRF Filter

$security = Services::security();

	try
	{
		$security->CSRFVerify($request);
	}
	catch (SecurityException $e)
	{
		if (config('App')->CSRFRedirect && ! $request->isAJAX())
		{
			return redirect()->back()->with('error', $e->getMessage());
		}

		throw $e;
	}

The problem here is i get redirected back on an inexistent page.
From url : projects.domain/ci4index/contact
To url : projects.domain/contact

I think here it should go back to projects.domain/ci4index/contact
right ?

This is a problem right ?
@crustamet crustamet added the bug Verified issues on the current code behavior or pull requests that will fix them label Nov 12, 2019
@crustamet
Copy link
Contributor Author

i found the problem for some reason the value of
$_SESSION['_ci_previous_url']
is projects.domain/contact

where this variable is set in the project ? oO

@lonnieezell
Copy link
Member

This is a known bug with the url helper methods when serving the site in a sub-folder. It's being worked on but one of the cases gets a bit tricky and I'm trying to track it down.

So - yes, it's a bug. But not with CSRF, it's with the base_url() and/or site_url() helpers and how IncomingRequest interprets the original URI when in a sub-folder.

@crustamet
Copy link
Contributor Author

Ok after you close this man please tell me in this file
https://github.com/codeigniter4/CodeIgniter4/blob/develop/system/HTTP/IncomingRequest.php#L719

What exactly $parts = parse_url('http://dummy' . $_SERVER['REQUEST_URI']);
want to do here ?

Because of this i was digging in and i found this problem maybe related to solve this issue trough this line ?

I was just thinking and really i have nothing to explain this. what is the reason behind the http dummy xD ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Verified issues on the current code behavior or pull requests that will fix them
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lonnieezell @crustamet