From 4dfb3facb4b8144825950a83f10f6134f2de983c Mon Sep 17 00:00:00 2001
From: Gusted <postmaster@gusted.xyz>
Date: Thu, 21 Aug 2025 00:39:06 +0200
Subject: [PATCH] fix: validate CSRF on non-safe methods

- CSRF has to be validated for any request that can change the state, in
practice this means any HTTP request where the method isn't
GET/HEAD/OPTIONS.
- The code only considered POST to be a state-changing request.
- Forgejo has several PUT/DELETE (that changes state) routes for which
no CSRF was being validated.
- Change the code to validate CSRF for all non-"safe" methods.
---
 routers/web/web.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/routers/web/web.go b/routers/web/web.go
index a47ce2bff7..43ce0dba6d 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -192,7 +192,8 @@ func verifyAuthWithOptions(options *common.VerifyOptions) func(ctx *context.Cont
 			return
 		}
 
-		if !options.SignOutRequired && !options.DisableCSRF && ctx.Req.Method == "POST" {
+		safeMethod := ctx.Req.Method == "GET" || ctx.Req.Method == "HEAD" || ctx.Req.Method == "OPTIONS"
+		if !options.SignOutRequired && !options.DisableCSRF && !safeMethod {
 			ctx.Csrf.Validate(ctx)
 			if ctx.Written() {
 				return