D17676.diff
No OneTemporary
Actions

Size

1 KB

Referenced Files

None

Subscribers

None

D17676.diff
View Options

	diff --git a/src/aphront/AphrontRequest.php b/src/aphront/AphrontRequest.php
	--- a/src/aphront/AphrontRequest.php
	+++ b/src/aphront/AphrontRequest.php
	@@ -256,8 +256,31 @@
	}

	$valid = $this->getUser()->validateCSRFToken($token);
	+
	+ // The CSRF check may not be valid if "security.require-https" is set but
	+ // the connection is plain HTTP. In this case, we don't send cookies to the
	+ // client, so they won't have an anonymous session cookie and won't be able
	+ // to pass the CSRF check.
	+
	+ // Note that this normally only happens for requests from inside
	+ // "cluster.addresses" (usually test installs on localhost). Other
	+ // connections will be redirected to HTTPS automatically. See T12547.
	if (!$valid) {
	+ $cookie_domain = $this->getCookieDomainURI();
	+ if (!$cookie_domain) {
	+ $message = pht(
	+ 'You are trying to issue a write request which requires a CSRF '.
	+ 'check, but this connection is HTTP and "security.require-https" '.
	+ 'is enabled, so CSRF cookies can not be set and writes can not be '.
	+ 'verfied. To continue, use HTTPS or disable the HTTPS requirement.');
	+
	+ throw new AphrontMalformedRequestException(
	+ pht('No Cookie Support (CSRF)'),
	+ $message);
	+ }
	+ }

	+ if (!$valid) {
	// Add some diagnostic details so we can figure out if some CSRF issues
	// are JS problems or people accessing Ajax URIs directly with their
	// browsers.