• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[SOLVED] CSRF issue in only one controller

#1
Good morning,

I'm used to load ajax controllers with jquery ajax, I know that I must send  :
Code:
data: {'<?php echo $this->security->get_csrf_token_name(); ?>': '<?php echo $this->security->get_csrf_hash(); ?>'},

It works perfectly for all my contollers behind except one wich works when I disable CSRF protection but when I enable it the result is the CI 403 response.

This controler is an Elasticsearch proxy, I've made a workaround by  disabling CSRF on this controller and checking the csrf cookie by myself, but it's a little bit frustrating to not understand why I can't use it like the other ajax controllers.
This is the famous controller wich return 403 with csrf enabled :
PHP Code:
<?php
defined
('BASEPATH') OR exit('No direct script access allowed');
use 
Elastica\Client;
use 
Elastica\Request;

/**
 * Classe du proxy recevant les requêtes Ajax et les retransmet à ElasticSearch de façon sécurisée
 */
class EsProxy extends CI_Controller implements JsonSerializable {

 
   private $esHost;
 
   private $esPort1;
 
   private $esPort2;
 
   private $esIndex;
 
   private $esType;

 
   public function __construct() {
 
       parent::__construct();
 
       $this->load->helper('cookie');
 
       $this->load->library('session');
 
       
        $this
->esHost $this->config->item('esHost');
 
       $this->esPort1 $this->config->item('esPort1');
 
       $this->esPort2 $this->config->item('esPort2');
 
       $this->esIndex $this->config->item('esIndex');
 
       $this->esType $this->config->item('esTypeStages');
 
       
        
        
    
}

 
   public function jsonSerialize() {
 
       return (object) get_object_vars($this);
 
   }

 
   /**
     * 
     * @param type $request
     */
 
   public function index(string $request) {
 
       
        
// protection contre les request vides 
 
       //@todo filtrer caractères non alpha
 
       if($request===null || !is_string($request)){
 
           throw new Exception("Error : request is not a valid string request !");
 
       }
 
       
        if
($this->input->cookie('csrf_cookie_name') !==  $this->security->get_csrf_hash()){
 
           $this->output->set_status_header(403,"Request not allowed !");
 
       }

 
       // sécurisation de la source de la requête
 
       if ($_SERVER['REMOTE_ADDR'] === $this->config->item('esHost')) {

 
           //instanciation elastica
 
           $elasticaClient = new \Elastica\Client(array(
 
               'servers' => array(
 
                   array('host' => $this->esHost'port' => $this->esPort1),
 
                   array('host' => $this->esHost'port' => $this->esPort2)
 
                   
                
)
 
           ));
 
           
            
// paramètres elastica
 
           $index $elasticaClient->getIndex($this->esIndex);
 
           $index->getName($this->esIndex);
 
           $type $index->getType($this->esType);
 
           
            $query 
'{
                "from": 0, "size": 20,
                "query": {
                    "query_string": {
                        "fields": ["contenu^2", "objectifs", "intitule_stage^3", "mmp", "mots_cles^5"],
                        "query": "'
.$request.'~3"
                    }
                },
                "highlight": {
                    "order": "score",
                    "fields": {
                        "intitule_stage": {"fragment_size": 560, "number_of_fragments": 3, "pre_tags": ["<em class=\"highlight\">"], "post_tags": ["</em>"]},
                        "objectifs": {"fragment_size": 100, "pre_tags": ["<em class=\"highlight\">"], "post_tags": ["</em>"]},
                        "mmp": {"fragment_size": 60, "pre_tags": ["<em class=\"highlight\">"], "post_tags": ["</em>"]},
                        "mots_cles": {"fragment_size": 60, "pre_tags": ["<em class=\"highlight\">"], "post_tags": ["</em>"]},
                        "contenu": {"fragment_size": 100, "pre_tags": ["<em class=\"highlight\">"], "post_tags": ["</em>"]}
                    }
                }
            }'
;
 
           
            $path 
$index->getName() . '/' $type->getName() . '/_search';
 
           
            $response 
$elasticaClient->request($pathRequest::GET$query);
 
           $responseArray $response->getData();
 
           
            
// entetes http json
 
           $this->output->set_content_type('application/json','utf-8');
 
           $this->output->set_output(json_encode($responseArray));
 
           
            
        
} else {
 
           throw new Exception("request source unauthorized ".$_SERVER['REMOTE_ADDR']);
 
       }
 
   }
 
   
    public 
function test(){
 
       $this->output->set_output('coucou');
 
   }



Do you have an answer to this curious issue ?

Thanks for your help  Wink
Reply

#2
Ok Ive found the solution it was about the contentType: "application/json; charset=utf-8" which empty the $POST vars delete this and it works like a charm !
I hope it will help.
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


Users browsing this thread:
2 Guest(s)


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2017 MyBB Group.