This vulnerability might allow remote attackers to bypass the CodeIgniter4 CSRF protection mechanism.
Upgrade to v4.1.9 or later.
These are workarounds for this vulnerability, but you will still need to code as these after upgrading to v4.1.9.
Otherwise, the CSRF protection may be bypassed.
E.g.:
if (strtolower($this->request->getMethod()) !== 'post') {
return $this->response->setStatusCode(405)->setBody('Method Not Allowed');
}
Do one of the following:
$routes->add()
, and use HTTP verbs in routes.E.g.:
if (strtolower($this->request->getMethod()) !== 'post') {
return $this->response->setStatusCode(405)->setBody('Method Not Allowed');
}
If you have any questions or comments about this advisory: