CSRF Header - Not enabled in the system/core/security code?

[gidzr]

Hey @narfbg

Still loving CI3.. but every now and then something crops up that maybe it's me or maybe a bug..

I was struggling to get Fetch working with CSRF when data sent as a stringified json object.. presumable because $this->input library is required to intercept and hasn't yet run or placed this into the $_POST superglobal.. ie.. which I would interpret as a php problem.

I thought the Header method for CSRF should resolve this.. but wasn't working.. So I went into the Security class under system/core and noticed
a) there is NO CSRF check on the Headers in the verification function
b) when print_r/var_dump $_POST super with the stringified json body, $POST is empty

system/core/Security.php, at line

209:	public function csrf_verify()

230:		// Check CSRF token validity, but don't error on mismatch just yet - we'll want to regenerate
		$valid = isset($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name])
			&& is_string($_POST[$this->_csrf_token_name]) && is_string($_COOKIE[$this->_csrf_cookie_name])
			&& hash_equals($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name]);

So I created this as a quick patch to check the HEADER, and now everything works..

	// Check CSRF token validity, but don't error on mismatch just yet - we'll want to regenerate
	$valid1 = isset($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name])
		&& is_string($_POST[$this->_csrf_token_name]) && is_string($_COOKIE[$this->_csrf_cookie_name])
		&& hash_equals($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name]);

	$valid2 = isset($_SERVER['HTTP_X_CSRF_TOKEN'], $_COOKIE[$this->_csrf_cookie_name])
		&& is_string($_SERVER['HTTP_X_CSRF_TOKEN']) && is_string($_COOKIE[$this->_csrf_cookie_name])
		&& hash_equals($_SERVER['HTTP_X_CSRF_TOKEN'], $_COOKIE[$this->_csrf_cookie_name]);


	$valid = $valid1 || $valid2;

Please let me know if its an oversight skipping the header or have I misused CI?

[shubhamzombade72]

209: public function csrf_verify()

230: // Check CSRF token validity, but don't error on mismatch just yet - we'll want to regenerate
$valid = isset($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name])
&& is_string($_POST[$this->_csrf_token_name]) && is_string($_COOKIE[$this->_csrf_cookie_name])
&& hash_equals($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name]);

This is part of a method named csrf_verify() that validates a CSRF token.

The comment says that even if the token is invalid, the script will not immediately error out because it may want to regenerate the token afterward.

$this->_csrf_token_name likely holds the name of the CSRF token key used in the form ($_POST) and the cookie ($_COOKIE).

isset(...) ensures both the POST and COOKIE CSRF token values are set.

is_string(...) checks that both values are strings (a good precaution to avoid type-juggling attacks).

hash_equals(...) securely compares the POST token and the cookie token to avoid timing attacks.

What This Does
Validates that the CSRF token submitted in the form matches the one stored in the cookie.

If it matches, $valid becomes true, which usually allows the request to proceed.

Possible Next Steps in the Function
If $valid is false, the function might:

Regenerate the CSRF token.

Possibly log the event.

Show a warning or silently refresh the token for next time.