apply changes from code review

michalsn · michalsn · commit 5734dd302efa · 2023-09-15T10:14:48.000+02:00
diff --git a/system/Security/Security.php b/system/Security/Security.php
@@ -325,7 +325,7 @@ private function removeTokenInRequest(RequestInterface $request): void
         } else {
             $body = $request->getBody() ?? '';
             $json = json_decode($body);
-            if (! empty($json) && json_last_error() === JSON_ERROR_NONE) {
+            if ($json !== null && json_last_error() === JSON_ERROR_NONE) {
                 // We kill this since we're done and we don't want to pollute the JSON data.
                 unset($json->{$this->config->tokenName});
                 $request->setBody(json_encode($json));
@@ -356,7 +356,7 @@ private function getPostedToken(RequestInterface $request): ?string
 
         if ($body !== '') {
             $json = json_decode($body);
-            if (! empty($json) && json_last_error() === JSON_ERROR_NONE) {
+            if ($json !== null && json_last_error() === JSON_ERROR_NONE) {
                 return $json->{$this->config->tokenName} ?? null;
             }
 
diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst
@@ -206,6 +206,8 @@ The order of checking the availability of the CSRF token is as follows:
 3. ``php://input`` (JSON request) - bear in mind that this approach is the slowest one since we have to decode JSON and then re-encode it
 4. ``php://input`` (raw body) - for PUT, PATCH, and DELETE type of requests
 
+.. note:: ``php://input`` (raw body) is checked since v4.4.2.
+
 *********************
 Other Helpful Methods
 *********************
