diff --git a/src/Pecee/Http/Middleware/BaseCsrfVerifier.php b/src/Pecee/Http/Middleware/BaseCsrfVerifier.php index 454c6cd..7d26945 100644 --- a/src/Pecee/Http/Middleware/BaseCsrfVerifier.php +++ b/src/Pecee/Http/Middleware/BaseCsrfVerifier.php @@ -17,13 +17,13 @@ class BaseCsrfVerifier implements IMiddleware * For example: /admin/* * @var array|null */ - protected ?array $except = null; + protected array $except = []; /** * Urls to include. Can be used to include urls from a certain path. * @var array|null */ - protected ?array $include = null; + protected array $include = []; /** * @var ITokenProvider @@ -38,6 +38,23 @@ class BaseCsrfVerifier implements IMiddleware $this->tokenProvider = new CookieTokenProvider(); } + protected function isIncluded(Request $request): bool + { + if (count($this->include) > 0) { + foreach ($this->include as $includeUrl) { + $includeUrl = rtrim($includeUrl, '/'); + if ($includeUrl[strlen($includeUrl) - 1] === '*') { + $includeUrl = rtrim($includeUrl, '*'); + return $request->getUrl()->contains($includeUrl); + } + + return ($includeUrl === rtrim($request->getUrl()->getRelativeUrl(false), '/')); + } + } + + return false; + } + /** * Check if the url matches the urls in the except property * @param Request $request @@ -45,11 +62,11 @@ class BaseCsrfVerifier implements IMiddleware */ protected function skip(Request $request): bool { - if ($this->except === null || count($this->except) === 0) { + if (count($this->except) === 0) { return false; } - foreach($this->except as $url) { + foreach ($this->except as $url) { $url = rtrim($url, '/'); if ($url[strlen($url) - 1] === '*') { $url = rtrim($url, '*'); @@ -60,20 +77,9 @@ class BaseCsrfVerifier implements IMiddleware if ($skip === true) { - if(is_array($this->include) === true && count($this->include) > 0) { - foreach($this->include as $includeUrl) { - $includeUrl = rtrim($includeUrl, '/'); - if ($includeUrl[strlen($includeUrl) - 1] === '*') { - $includeUrl = rtrim($includeUrl, '*'); - $skip = !$request->getUrl()->contains($includeUrl); - break; - } + $skip = !$this->isIncluded($request); - $skip = !($includeUrl === rtrim($request->getUrl()->getRelativeUrl(false), '/')); - } - } - - if($skip === false) { + if ($skip === false) { continue; } @@ -92,12 +98,11 @@ class BaseCsrfVerifier implements IMiddleware */ public function handle(Request $request): void { - if ($this->skip($request) === false && $request->isPostBack() === true) { + if ($this->skip($request) === false && ($request->isPostBack() === true || $this->isIncluded($request) === true)) { $token = $request->getInputHandler()->value( static::POST_KEY, $request->getHeader(static::HEADER_KEY), - Request::$requestTypesPost ); if ($this->tokenProvider->validate((string)$token) === false) { diff --git a/tests/Pecee/SimpleRouter/Dummy/CsrfVerifier/DummyCsrfVerifier.php b/tests/Pecee/SimpleRouter/Dummy/CsrfVerifier/DummyCsrfVerifier.php index 4c87c37..8e3b5e1 100644 --- a/tests/Pecee/SimpleRouter/Dummy/CsrfVerifier/DummyCsrfVerifier.php +++ b/tests/Pecee/SimpleRouter/Dummy/CsrfVerifier/DummyCsrfVerifier.php @@ -2,12 +2,12 @@ class DummyCsrfVerifier extends \Pecee\Http\Middleware\BaseCsrfVerifier { - protected ?array $except = [ + protected array $except = [ '/exclude-page', '/exclude-all/*', ]; - protected ?array $include = [ + protected array $include = [ '/exclude-all/include-page', ];