Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CRSF seems to be always on (config setting ignored) #22

Closed
patrickvuarnoz opened this issue Dec 6, 2024 · 3 comments
Closed

CRSF seems to be always on (config setting ignored) #22

patrickvuarnoz opened this issue Dec 6, 2024 · 3 comments

Comments

@patrickvuarnoz
Copy link

After a fresh install I do have CSRF protection out of the box, which is very cool. At the moment I am still in development mode and I do not want it to be active yet, as it blocks some POST/DELETE requests.

In the config file for the CRSF there is the setting //'enabled' => true, which is commented out and by that it should not be active. Trying to set it to 'enabled' => false, does not change that.

I think the problem comes from the method loadApplicationConfig(). This part here enables the CRSF config by default if sessions are activated:

$csrfEnabled = (
    $csrfConfig &&
    Config::getStatic('mvc.config.auth')['session'] ?? false
);

If enabled is not set at all in in the CRSF config, then this part does not change anything and CSRF remains activated:

if ($csrfConfig['enabled'] ?? null !== null) {
    $csrfEnabled = $csrfConfig['enabled'];
}

If enabled is set to false it still seems to ignore that block. I think the problem is the operator precedence. !== is evaluated before ??, so with a setting of enabled=false it evaluates to false ?? true which is always false.

That line should be changed to:

if (($csrfConfig['enabled'] ?? null) !== null) {
    $csrfEnabled = $csrfConfig['enabled'];
}

With that it still does not automatically disable CRSF if the enabled is commented out in the config like //'enabled' => true,, but at least it can be deactivated by setting it to false.
@mychidarko
Copy link
Member

Yeah, this was the intended behaviour. Thanks for the fix, I'll push out a new version for this

@patrickvuarnoz
Copy link
Author

@mychidarko Just installed the latest release v1.10.0 and the problem is still in there, i.e. the brackets on line 53 in Core.php are still missing:

Current (as in v1.10.0):

if ($csrfConfig['enabled'] ?? null !== null) {
  $csrfEnabled = $csrfConfig['enabled'];
}

Should be:

if (($csrfConfig['enabled'] ?? null) !== null) {
  $csrfEnabled = $csrfConfig['enabled'];
}

@mychidarko
Copy link
Member

Sorry about that @patrickvuarnoz it's been fixed now. You can update mvc-core to the latest version

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@patrickvuarnoz @mychidarko