projects / GitHub / WoltLab / WCF.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b6a0379)
Fix the check for safe HTTP verbs
authorAlexander Ebert <ebert@woltlab.com>
Tue, 15 Nov 2022 11:55:52 +0000 (12:55 +0100)
committerGitHub <noreply@github.com>
Tue, 15 Nov 2022 11:55:52 +0000 (12:55 +0100)
Co-authored-by: Tim Düsterhus <duesterhus@woltlab.com>
wcfsetup/install/files/lib/http/middleware/Xsrf.class.php patch | blob | blame | history

diff --git a/wcfsetup/install/files/lib/http/middleware/Xsrf.class.php b/wcfsetup/install/files/lib/http/middleware/Xsrf.class.php
index 2ba683fb267b1a7f34f550cc2bf393cc318ed957..3e062e3e41d6298e69cbb65135c8c5f3feb501ba 100644 (file)
--- a/wcfsetup/install/files/lib/http/middleware/Xsrf.class.php
+++ b/wcfsetup/install/files/lib/http/middleware/Xsrf.class.php
@@ -54,7 +54,7 @@ final class Xsrf implements MiddlewareInterface
         );
 
         if (
-            $this->isSafeHttpMethod($request->getMethod())
+            !$this->isSafeHttpMethod($request->getMethod())
             && $this->requestHandler->getActiveRequest()
         ) {
             $this->assertHasValidXsrfToken($this->requestHandler->getActiveRequest(), $hasValidXsrfToken);
@@ -69,7 +69,7 @@ final class Xsrf implements MiddlewareInterface
         return $verb === 'GET' || $verb === 'HEAD';
     }
 
-    private function assertHasValidXsrfToken(Request $request, $hasValidXsrfToken): void
+    private function assertHasValidXsrfToken(Request $request, bool $hasValidXsrfToken): void
     {
         if (!\is_subclass_of($request->getClassName(), RequestHandlerInterface::class)) {
             // Skip the XSRF check for legacy controllers.
WoltLab Suite Core (previously WoltLab Community Framework)