Fixed POST on non-existing route without CSRF token should not give status code 200

[Kirby]

Affected version

2.1.0 RC 2

<form action="https://xenforo.com/community/foobar" method="post">
<input type="submit" value="test">
</form>

Submitting this form results in a security error message and status code 200

<form action="https://xenforo.com/community/foobar">
<input type="submit" value="test">
</form>

This gives status code 404

This behaviour is different from XF 1.5 where both POST and GET resulted in a 404.

 

[XF Bug Bot]

Thank you for reporting this issue. It has now been resolved and we are aiming to include it in a future XF release (2.1.0 RC3).

Change log:

When dispatching directly to the error controller, bypass CSRF checking. This gives priority to a 404 response, for example. Additionally, CSRF error messages now return a 400 code (instead of 200).

Any changes made as a result of this issue being resolved may not be rolled out here until later.