From 36b34b0dc1e029c9686c771ba27f2d960b4afda4 Mon Sep 17 00:00:00 2001 From: Oleg Baturin Date: Thu, 28 Nov 2024 12:01:15 +0700 Subject: [PATCH] fix 'unafe' typo --- framework/web/Request.php | 4 ++-- tests/framework/web/RequestTest.php | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/framework/web/Request.php b/framework/web/Request.php index 0e6af8cbee9..312654fc679 100644 --- a/framework/web/Request.php +++ b/framework/web/Request.php @@ -140,7 +140,7 @@ class Request extends \yii\base\Request * This property is used only when both [[enableCsrfValidation]] and [[validateCsrfHeaderOnly]] are true. * @see https://fetch.spec.whatwg.org/#http-cors-protocol */ - public $csrfHeaderUnafeMethods = ['GET', 'HEAD', 'POST']; + public $csrfHeaderUnsafeMethods = ['GET', 'HEAD', 'POST']; /** * @var bool whether to use custom header only to CSRF validation of SPA. Defaults to false. * If false and [[enableCsrfValidation]] is true, CSRF validation by token will used. @@ -1897,7 +1897,7 @@ public function validateCsrfToken($clientSuppliedToken = null) $method = $this->getMethod(); if ($this->validateCsrfHeaderOnly) { - return in_array($method, $this->csrfHeaderUnafeMethods, true) + return in_array($method, $this->csrfHeaderUnsafeMethods, true) ? $this->headers->has($this->csrfHeader) : true; } diff --git a/tests/framework/web/RequestTest.php b/tests/framework/web/RequestTest.php index 1c29c4ed200..932392e187d 100644 --- a/tests/framework/web/RequestTest.php +++ b/tests/framework/web/RequestTest.php @@ -297,7 +297,7 @@ public function testCustomUnsafeMethodsCsrfHeaderValidation() $this->mockWebApplication(); $request = new Request(); - $request->csrfHeaderUnafeMethods = ['POST']; + $request->csrfHeaderUnsafeMethods = ['POST']; $request->validateCsrfHeaderOnly = true; $request->enableCsrfValidation = true;