fix: ensure csrf token is string

Ngô Quốc Đạt · web-flow · commit f4279483e6c5 · 2025-01-03T10:41:32.000+07:00
diff --git a/system/Security/Security.php b/system/Security/Security.php
@@ -307,6 +307,10 @@ private function getPostedToken(RequestInterface $request): ?string
         // Does the token exist in POST, HEADER or optionally php:://input - json data or PUT, DELETE, PATCH - raw data.
 
         if ($tokenValue = $request->getPost($this->config->tokenName)) {
+            if (! is_string($tokenValue)) {
+                return null;
+            }
+
             return $tokenValue;
         }
 

Original file line number	Diff line number	Diff line change
`@@ -307,6 +307,10 @@ private function getPostedToken(RequestInterface $request): ?string`
`307`	`307`	`// Does the token exist in POST, HEADER or optionally php:://input - json data or PUT, DELETE, PATCH - raw data.`
`308`	`308`
`309`	`309`	`if ($tokenValue = $request->getPost($this->config->tokenName)) {`
	`310`	`+ if (! is_string($tokenValue)) {`
	`311`	`+ return null;`
	`312`	`+ }`
	`313`	`+`
`310`	`314`	`return $tokenValue;`
`311`	`315`	`}`
`312`	`316`