Allow HEAD requests to generate a form key

civicrm · May 14, 2020 · 5d76f6d · 5d76f6d
1 parent f1e79cb
commit 5d76f6d
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/CRM/Core/Controller.php b/CRM/Core/Controller.php
@@ -284,11 +284,17 @@ public function key($name, $addSequence = FALSE, $ignoreKey = FALSE) {
       return NULL;
     }
 
-    $key = $_REQUEST['qfKey'] ?? NULL;
-    if (!$key && $_SERVER['REQUEST_METHOD'] === 'GET') {
+    // We need a form key. Check _POST first, then _GET.
+    $key = $_POST['qfKey'] ?? $_GET['qfKey'] ?? NULL;
+    if (!$key && in_array($_SERVER['REQUEST_METHOD'], ['GET', 'HEAD'])) {
+      // Generate a key if this is an initial request without one.
+      // We allow HEAD here because it is used by bots to validate URLs, so if
+      // we issue a 500 server error to them they may think the site is broken.
       $key = CRM_Core_Key::get($name, $addSequence);
     }
     else {
+      // Other requests that usually change data (POST, but feasibly DELETE,
+      // PUT, PATCH...) always require a valid key.
       $key = CRM_Core_Key::validate($key, $name, $addSequence);
     }