Normalize paths to always have a leading slash when comparing against…

… the CSRF blacklist (#775)
userfrosting · Aug 9, 2017 · 8f3a40d · 8f3a40d
1 parent ef78c7a
commit 8f3a40d
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,7 @@
 # Change Log
 
 ## v4.1.8-alpha
+- Normalize paths to always have a leading slash when comparing against the CSRF blacklist (#775)
 - Reimplement `Builder::exclude` to maintain a list of excluded columns, and then automatically update list of columns to fetch in `get()`
 - Deprecate `Model::queryBuilder` and `Model::export`
 - Update nginx config file from spdy to http2

diff --git a/app/sprinkles/core/src/Core.php b/app/sprinkles/core/src/Core.php
@@ -36,16 +36,17 @@ public static function getSubscribedEvents()
      */
     public function onAddGlobalMiddleware(Event $event)
     {
-        // Hacky fix to prevent sessions from being hit too much: ignore CSRF middleware for requests for raw assets ;-)
-        // See https://github.com/laravel/framework/issues/8172#issuecomment-99112012 for more information on why it's bad to hit Laravel sessions multiple times in rapid succession.
         $request = $this->ci->request;
         $path = $request->getUri()->getPath();
         $method = $request->getMethod();
 
-        $csrfBlacklist = $this->ci->config['csrf.blacklist'];
+        // Normalize path to always have a leading slash
+        $path = '/' . ltrim($path, '/');
 
+        $csrfBlacklist = $this->ci->config['csrf.blacklist'];
         $isBlacklisted = false;
 
+        // Go through the blacklist and determine if the path and method match any of the blacklist entries.
         foreach ($csrfBlacklist as $pattern => $methods) {
             $methods = array_map('strtoupper', (array) $methods);
             if (in_array($method, $methods) && $pattern != '' && preg_match('~' . $pattern . '~', $path)) {

diff --git a/app/sprinkles/core/src/ServicesProvider/ServicesProvider.php b/app/sprinkles/core/src/ServicesProvider/ServicesProvider.php
@@ -240,9 +240,10 @@ public function register(ContainerInterface $container)
                 $config['site.uri.public'] = trim($public, '/');
             }
 
-            // Add asset URLs to the CSRF blacklist
+            // Hacky fix to prevent sessions from being hit too much: ignore CSRF middleware for requests for raw assets ;-)
+            // See https://github.com/laravel/framework/issues/8172#issuecomment-99112012 for more information on why it's bad to hit Laravel sessions multiple times in rapid succession.
             $csrfBlacklist = $config['csrf.blacklist'];
-            $csrfBlacklist['^' . $config['assets.raw.path']] = [
+            $csrfBlacklist['^/' . $config['assets.raw.path']] = [
                 'GET'
             ];