Welcome Guest, Not a member yet? Register   Sign In
Let's make auto routes disable
#1

(This post was last modified: 02-21-2022, 07:51 PM by kenjis.)

Auto routes are really dangerous. It could make vulnerabilities in your app very easily.
I strongly recommend you disable auto routes.

For example, see this tutorial:
https://www.binaryboxtuts.com/php-tutori...ntication/
If you build the tutorial app, an attacker could get list of users without token.

How to disable auto routes:
app/Config/Routes.php
PHP Code:
$routes->setAutoRoute(false); 
See https://codeigniter4.github.io/userguide...outes-only
Reply
#2

Maybe disable auto routes by default?
protected $autoRoute = true;


And this can also be removed from the default config.
PHP Code:
$routes->setDefaultController('Home');
$routes->setDefaultMethod('index');
$routes->setTranslateURIDashes(false);
$routes->set404Override();
$routes->setAutoRoute(true); 
Reply
#3

(02-21-2022, 09:54 PM)iRedds Wrote: Maybe disable auto routes by default?

I would like to disable it by default in v5.0.
Reply
#4

I agree remove it in version 5.0. I always run with it false.
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#5

If we talk about version 5, then it seems to me that it is better to move auto routes out of the framework into a separate package.
Reply
#6

(02-21-2022, 07:45 PM)kenjis Wrote: Auto routes are really dangerous. It could make vulnerabilities in your app very easily.
I strongly recommend you disable auto routes.

For example, see this tutorial:
https://www.binaryboxtuts.com/php-tutori...ntication/
If you build the tutorial app, an attacker could get list of users without token.

How to disable auto routes:
app/Config/Routes.php
PHP Code:
$routes->setAutoRoute(false); 
See https://codeigniter4.github.io/userguide...outes-only

I thought was my self been asking this issue oooh we are many???? C_i needs to sort this by alternating this autoroute
Do Codeigniter Before Do You!
yekrinaDigitals

Reply
#7

I think having them disabled by default is a good setting for the next release.
Reply
#8

@kilishan Do you mean in v4.2.0?
Reply
#9

@kenjis yes, 4.2
Reply
#10

Awesome
Reply




Theme © iAndrew 2016 - Forum software by © MyBB