Description
Describe the bug
https://forum.codeigniter.com/thread-79028.html
If method spoofing is used in the html form, then the validation class cannot receive data when using Validation::withRequest() if the enctype="multipart/form-data" attribute was set.
If the method is defined as put, patch or delete, then the validation class tries to get data from the request body (php://input). But if multipart/form-data is used then php://input will be empty.
https://www.php.net/manual/en/wrappers.php.php#wrappers.php.input
CodeIgniter 4 version
4.1.1 and develop
Affected module(s)
Validation class
Expected behavior, and steps to reproduce if appropriate
Expected behavior: When using encoding and multipart/form-data and method spoofing, do not use reading from php://input
Bug reproduction:
// Route
$routes->add('/', 'Home::index');
// controller method
if ($this->request->getMethod() !== 'get') {
$rules = ['test' => 'required'];
if (! $this->validate($rules)) {
dd($this->validator->getErrors(), $this->request->getVar());
}
} else {
echo '<form action="/" method="post" enctype="multipart/form-data">
<input type="hidden" name="_method" value="put">
<input type="text" name="test" value="passed">
<input type="submit">
</form>';
}Context
- OS: Windows 7
- Web server PHP
- PHP version 7.3
Activity