• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
ajax Forbidden error

#1
Hello, 
In my codeigniter 3.0.3
I have page for uploading(using jquery.fileupload library)/show listing/deleting of images
In control I send security object 

PHP Code:
        $data['security'] = $this->security
        
and in view in ajax post requests I send parameters from this security object. It works in 1 case and retiurns 403(Forbidden) error in 2 cases:        

          Deleting Image :


Code:
            var post_data = {
                'dp_csrf_tk' : 'a574872384f065fcabf9747d20f9cff3'
            };
            alert( "post_data::"+var_dump(post_data) ) // This alert shows "post_data::obj.dp_csrf_tk = 6378d5922c14b0ffb43bd1aae135e3e8"
            jQuery.ajax({  // returns 403 (Forbidden)
                url: "http://local-displo-wp.com/backend/en/categories/delete_category_image?category_id=" + encodeURIComponent(category_id) + '&image_name='+encodeURIComponent(image_name),
                type: 'POST',
                data: post_data,
                dataType: 'json',
                success: function(result) {
                    ....
                }
            });
            
            
            Uploading of image :

Code:
            var post_data = {
                '<?php echo $security->get_csrf_token_name(); ?>' : '<?php echo $security->get_csrf_hash(); ?>'
            };
            alert( "post_data::"+var_dump(post_data) ) // This alert shows "post_data::obj.dp_csrf_tk = 6378d5922c14b0ffb43bd1aae135e3e8"
            $('.category_image_fileupload').fileupload( { // returns 403 (Forbidden)
                url: "<?php echo site_url('categories/upload_category_image?category_id') ?>=" + category_id+"&category_name="+encodeURIComponent(category_name),
                data: post_data,
                dataType: 'json',
                done: function (e, data) {
                     ...
                },
                progressall: function (e, data) {
                    var progress = parseInt(data.loaded / data.total * 100, 10);
                    $('#progress .progress-bar').css(
                        'width',
                        progress + '%'
                    );
                }
            }).prop('disabled', !$.support.fileInput)
                .parent().addClass($.support.fileInput ? undefined : 'disabled');
                
                
                Loading Of images :


Code:
            var post_data = {
                'dp_csrf_tk' : 'c4ac902758cdb8c657c32e11c631ccfc'  // // This alert shows "post_data::obj.dp_csrf_tk = 856114439a276539dfc0a9617c0eb8ce"
            };
            alert( "post_data::"+var_dump(post_data) )
            jQuery.ajax({  // all data returns ok
                url: "http://local-displo-wp.com/backend/en/categories/load_category_images?category_id="+category_id+"&category_name="+encodeURIComponent(category_name),
                type: 'POST',
                data: post_data,
                dataType: 'json',
                success: function(result) {
                    //alert( "result::"+var_dump(result) )
                    if (result.result == 'success') {
                        $('#div-category-images').html(result.ret_html)
                    }
                }
            });                
               
In all 3 requests ajax request as "POST" with "json" dataType return parameter wuth the same csrf array as parameters.
in url methods of the same control http://local-displo-wp.com/backend/en/categories
I do not see why only third requests works ok but 2 first returns error?
Reply

#2
Instead of defining

PHP Code:
$data['security'] = $this->security

Have you tried passing the CRSF token data like it outlines here, http://www.codeigniter.com/user_guide/li...rgery-csrf ?
Reply

#3
yes, in my backend/application/config/config.php :

Code:
$config['global_xss_filtering'] = FALSE;

$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'dp_csrf_tk';
$config['csrf_cookie_name'] = 'dp_csrf_ck';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
$config['csrf_exclude_uris'] = array();

I remade control with setting name/hash :
       $data['csrf'] = array(
           'name' => $this->security->get_csrf_token_name(),
           'hash' => $this->security->get_csrf_hash()
       );
       $this->load->view( 'categories/edit', $data );

but seems that was not issue of problem.

In my form there is line like:

Code:
  <input type="hidden" name="dp_csrf_tk" value="b0e299db72dba3d32fa60565ebe05662" />
  This page is category editor with 2 fields name, description and listing of images. Without hidden input above
  tring to submit this form I got error:
The action you have requested is not allowed.

But this csrf protection for the form with post method. I upload /show / delete images with methods I mentioned above.
So in source I see 2 similar methods, one of working ok, the second raise error 403 (Forbidden) :

VALID REQUEST:

Code:
           var post_data = {
               'dp_csrf_tk' : 'aeebc203bca894d36aad8d41e04f43de'
           };
           alert( "loadCategoryImages LISTING post_data::"+var_dump(post_data) )
           jQuery.ajax({
               url: "http://local-displo-wp.com/backend/en/categories/load_category_images?category_id="+category_id+"&category_name="+encodeURIComponent(category_name),
               type: 'POST',
               data: post_data,
               dataType: 'json',
               success: function(result) {
                  ...
               }
           });
           
           
INVALID REQUEST with error 403 (Forbidden) :

Code:
           var post_data = {
               'dp_csrf_tk' : 'aeebc203bca894d36aad8d41e04f43de'
           };
           alert( "deleteCategoryImage post_data::"+var_dump(post_data) )
           jQuery.ajax({
               url: "http://local-displo-wp.com/backend/en/categories/delete_category_image?category_id=" + encodeURIComponent(category_id) + '&image_name='+encodeURIComponent(image_name),
               type: 'POST',
               data: post_data,
               dataType: 'json',
               success: function(result) {
                  ...
               }
           });      


I do not see the difference...

and putting in config the url from the second wrong request :

PHP Code:
$config['csrf_exclude_uris'] = array('categories/delete_category_image'); 


I have the same error 403 (Forbidden)
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.