Fix CSRF check for GET requests

2026-01-09 03:32:00 +09:00 · 2017-04-23 14:51:41 +09:00 · 2017-04-23 14:51:41 +09:00 · 2822191271
commit 2822191271
parent fa5c7afce2
2 changed files with 21 additions and 5 deletions
--- a/common/framework/security.php
+++ b/common/framework/security.php
@ -307,11 +307,7 @@ class Security
 	 */
 	public static function checkCSRF($referer = null)
 	{
-		if ($_SERVER['REQUEST_METHOD'] === 'GET')
-		{
-			return true;
-		}
-		elseif ($token = $_SERVER['HTTP_X_CSRF_TOKEN'])
+		if ($token = $_SERVER['HTTP_X_CSRF_TOKEN'])
 		{
 			return Session::verifyToken($token);
 		}
@ -319,6 +315,10 @@ class Security
 		{
 			return Session::verifyToken($token);
 		}
+		elseif ($_SERVER['REQUEST_METHOD'] === 'GET')
+		{
+			return false;
+		}
 		else
 		{
 			if (Session::getMemberSrl())