Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: system/Security/Security.php(289): CodeIgniter\Security\Exceptions\SecurityException::forDisallowedAction() #5744

Closed
stresbiz opened this issue Feb 25, 2022 · 5 comments
Closed

Bug: system/Security/Security.php(289): CodeIgniter\Security\Exceptions\SecurityException::forDisallowedAction() #5744

stresbiz opened this issue Feb 25, 2022 · 5 comments

Comments

@stresbiz
Copy link

PHP Version

7.4

CodeIgniter4 Version

4.1.8

CodeIgniter4 Installation Method

Manual (zip or tar.gz)

Which operating systems have you tested for this bug?

Linux

Which server did you use?

apache

Database

No response

What happened?

Throughout our error logs, we are seeing 100s of the below CSRF errors:

CRITICAL - 2022-02-24 19:49:22 --> The action you requested is not allowed.
#0 /home/system/Security/Security.php(289): CodeIgniter\Security\Exceptions\SecurityException::forDisallowedAction()
#1 /home/system/Filters/CSRF.php(53): CodeIgniter\Security\Security->verify(Object(CodeIgniter\HTTP\IncomingRequest))
#2 /home/system/Filters/Filters.php(173): CodeIgniter\Filters\CSRF->before(Object(CodeIgniter\HTTP\IncomingRequest), NULL)
#3 /home/system/CodeIgniter.php(386): CodeIgniter\Filters\Filters->run('controller...', 'before')
#4 /home/system/CodeIgniter.php(320): CodeIgniter\CodeIgniter->handleRequest(NULL, Object(Config\Cache), false)
#5 /home/public/index.php(37): CodeIgniter\CodeIgniter->run()
#6 {main}

It looks like this is the SecurityException being thrown from the Security.php class:

// Do the tokens match?
if (! isset($token, $this->hash) || ! hash_equals($this->hash, $token)) {
throw SecurityException::forDisallowedAction();
}

If the tokens do not match then perhaps there is a different way to handle this, as apposed to hammering the logs with these errors / exceptions.

Steps to Reproduce

Turn on CSRF protection.

Expected Output

N/A

Anything else?

No response
@stresbiz stresbiz added the bug Verified issues on the current code behavior or pull requests that will fix them label Feb 25, 2022
@kenjis kenjis removed the bug Verified issues on the current code behavior or pull requests that will fix them label Feb 25, 2022
@kenjis
Copy link
Member

kenjis commented Feb 25, 2022
edited
Loading

I recommend you check your app carefully.
The exception never happens with normal operations.
Your site (your user) is attacked or your app config is something wrong.

@kenjis kenjis closed this as completed Feb 25, 2022
@stresbiz
Copy link
Author

I recommend you check your app carefully. The exception never happens with normal operations. Your site is attacked or your app config is something wrong.

If it is some kind of bot attack, how could prevent this exception from occurring? We've tested the form repeatedly and cannot reproduce the error.

@kenjis
Copy link
Member

kenjis commented Feb 25, 2022

We use GitHub issues to track BUGS and to track approved DEVELOPMENT work packages. We use our forum to provide SUPPORT and to discuss FEATURE REQUESTS.

If you raise an issue here that pertains to support or a feature request, it will be closed! If you are not sure if you have found a bug, raise a thread on the forum first - someone else may have encountered the same thing.
https://github.com/codeigniter4/CodeIgniter4#repository-management

@kenjis
Copy link
Member

kenjis commented Feb 25, 2022

If it is some kind of bot attack, how could prevent this exception from occurring?

Create your own CSRF filter based on CodeIgniter\Filters\CSRF.

@stresbiz
Copy link
Author

Thank you for your responses and assistance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kenjis @stresbiz