[M-23] Rate-limit key not scoped by HTTP method

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 2 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: MEDIUM

Location: src/Middleware/RateLimitMiddleware.php:61

Bug: GET + POST of overlapping paths share the counter.

Fix: Include method in the key.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:54pm

Resolved.

RateLimitMiddleware now includes the HTTP method in the hash key (src/Middleware/RateLimitMiddleware.php):

$key = hash('sha256', $ip . '|' . $method . '|' . $path, true);

GET and POST to the same path no longer share a counter. A benign user's GET traffic against a route that collides with a write-path POST can't suppress their ability to make POSTs.

Locking this thread.

Related Discussions

[L-6] Session-fallback rate-limit keys grow unbounded
Security Issues · 0 replies · 1 views
[L-3] isAjax treats presence of HTTP_X_CSRF_TOKEN as AJAX
Security Issues · 0 replies · 1 views
[forum.thread_purged] Purged empty thread #1375: Critical Error: Unhandled exception: Call to undefined method App\Models\
Admin System Log Files · 0 replies · 1 views
[forum.thread_purged] Purged empty thread #1376: What are you thoughts on Commodore's firmware crackdown?https://www.commo
Admin System Log Files · 0 replies · 1 views
[forum.thread_purged] Purged empty thread #886: How many members are also on https://www.facebook.com/groups/1249159557042
Admin System Log Files · 0 replies · 1 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy