codeigniter4
diff --git a/‎system/Filters/Filters.php‎
Lines changed: 1 addition & 1 deletion b/‎system/Filters/Filters.php‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎system/Security/Security.php‎
Lines changed: 7 additions & 5 deletions b/‎system/Security/Security.php‎
Lines changed: 7 additions & 5 deletions
@@ -443,7 +443,7 @@ protected function processMethods()
         }
 
         // Request method won't be set for CLI-based requests
-        $method = strtolower($_SERVER['REQUEST_METHOD'] ?? 'cli');
+        $method = strtolower($this->request->getMethod()) ?? 'cli';
 
         if (array_key_exists($method, $this->config->methods)) {
             $this->filters['before'] = array_merge($this->filters['before'], $this->config->methods[$method]);
 
@@ -259,18 +259,20 @@ public function getCSRFTokenName(): string
      *
      * @throws SecurityException
      *
-     * @return $this|false
+     * @return $this
      */
     public function verify(RequestInterface $request)
     {
-        // If it's not a POST request we will set the CSRF cookie.
-        if (strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST') {
-            return $this->sendCookie($request);
+        // Protects POST, PUT, DELETE, PATCH
+        $method           = strtoupper($request->getMethod());
+        $methodsToProtect = ['POST', 'PUT', 'DELETE', 'PATCH'];
+        if (! in_array($method, $methodsToProtect, true)) {
+            return $this;
         }
 
         $token = $this->getPostedToken($request);
 
-        // Does the tokens exist in both the POST/POSTed JSON and COOKIE arrays and match?
+        // Do the tokens match?
         if (! isset($token, $this->hash) || ! hash_equals($this->hash, $token)) {
             throw SecurityException::forDisallowedAction();
         }
Original file line number	Diff line number	Diff line change
`@@ -443,7 +443,7 @@ protected function processMethods()`
`443`	`443`	`}`
`444`	`444`
`445`	`445`	`// Request method won't be set for CLI-based requests`
`446`		`- $method = strtolower($_SERVER['REQUEST_METHOD'] ?? 'cli');`
	`446`	`+ $method = strtolower($this->request->getMethod()) ?? 'cli';`
`447`	`447`
`448`	`448`	`if (array_key_exists($method, $this->config->methods)) {`
`449`	`449`	`$this->filters['before'] = array_merge($this->filters['before'], $this->config->methods[$method]);`
Original file line number	Diff line number	Diff line change
`@@ -259,18 +259,20 @@ public function getCSRFTokenName(): string`
`259`	`259`	`*`
`260`	`260`	`* @throws SecurityException`
`261`	`261`	`*`
`262`		`- * @return $this\|false`
	`262`	`+ * @return $this`
`263`	`263`	`*/`
`264`	`264`	`public function verify(RequestInterface $request)`
`265`	`265`	`{`
`266`		`- // If it's not a POST request we will set the CSRF cookie.`
`267`		`- if (strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST') {`
`268`		`- return $this->sendCookie($request);`
	`266`	`+ // Protects POST, PUT, DELETE, PATCH`
	`267`	`+ $method = strtoupper($request->getMethod());`
	`268`	`+ $methodsToProtect = ['POST', 'PUT', 'DELETE', 'PATCH'];`
	`269`	`+ if (! in_array($method, $methodsToProtect, true)) {`
	`270`	`+ return $this;`
`269`	`271`	`}`
`270`	`272`
`271`	`273`	`$token = $this->getPostedToken($request);`
`272`	`274`
`273`		`- // Does the tokens exist in both the POST/POSTed JSON and COOKIE arrays and match?`
	`275`	`+ // Do the tokens match?`
`274`	`276`	`if (! isset($token, $this->hash) \|\| ! hash_equals($this->hash, $token)) {`
`275`	`277`	`throw SecurityException::forDisallowedAction();`
`276`	`278`	`}`