class ValidateCsrfByGet extends CHttpRequest
{
public function validateCsrfToken($event)
{
if($this->getIsPostRequest())
{
// only validate POST requests
$cookies=$this->getCookies();
if($cookies->contains($this->csrfTokenName) && isset($_POST[$this->csrfTokenName]))
{
$tokenFromCookie=$cookies->itemAt($this->csrfTokenName)->value;
$tokenFromPost=$_POST[$this->csrfTokenName];
$valid=$tokenFromCookie===$tokenFromPost;
}
else
$valid=false;
if(!$valid)
throw new CHttpException(400,Yii::t('yii','The CSRF token could not be verified.'));
}
}
}
I was expecting to be able to make changes to this function and those to affect the CSRF check in any forms on the site. Even when I only have the throw exception line, no forms are affected.
In case anyone was looking for a clean solution to this problem, I forked file-uploader and added the ability to add POST key/value pairs. When creating your file uploader, set encoding to ‘multipart’, and pass in your CSRF token into multipartParams. It will arrive as a $_POST parameter and your CSRF protection will work as expected.