fix(COLDBOX-1406): restrict HTTP method spoofing to POST requests only#673
Merged
Merged
Conversation
- `getHTTPMethod()` now only honors the `_method` override when the transport-level request method is POST, and only for PUT, PATCH, or DELETE targets. Any other original method (GET, HEAD, PUT, …) is returned unchanged, closing the CSRF-style attack surface described in COLDBOX-1406. - Added `getOriginalHTTPMethod()` that always returns the raw CGI.REQUEST_METHOD, letting interceptors/logging distinguish transport vs effective method. - Covered all combinations with unit tests in RequestContextTest.
Copilot
AI
changed the title
[WIP] Fix method spoofing to restrict HTTP method usage
fix(COLDBOX-1406): restrict HTTP method spoofing to POST requests only
Jul 14, 2026
lmajano
marked this pull request as ready for review
July 15, 2026 00:30
Contributor
|
@lmajano, just a heads-up that this issue affects Coldbox 7 as well. Let me know if you want me to create a separate Jira issue. I didn't see a way to tag both Coldbox 8 and 7 in the same issue. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
getHTTPMethod()honored the_methodrequest parameter from any HTTP verb, meaning a GET request with?_method=DELETEwould pass DELETE-onlyallowedMethodschecks — enabling CSRF-style attacks via<img>tags, crawlers, or prefetch.Changes
RequestContext::getHTTPMethod()— now only applies the_methodoverride whenCGI.REQUEST_METHODisPOST, and only forPUT,PATCH, orDELETEtargets. All other original methods are returned unchanged.RequestContext::getOriginalHTTPMethod()— new method that always returns the raw transport-levelCGI.REQUEST_METHOD, regardless of any_methodparameter. Useful for interceptors, security modules, and logging._methodGETDELETEGET— override ignoredHEADDELETEHEAD— override ignoredPOSTDELETEDELETE✓POSTPUTPUT✓POSTPATCHPATCH✓POSTGETPOST— invalid override ignoredUnit tests added for all combinations above.