Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit ca1cb27

Browse filesBrowse files
fabpotfabpot
committed
feature #9252 [FrameworkBundle] Only enable CSRF protection when enabled in config (asm89)
This PR was squashed before being merged into the master branch (closes #9252). Discussion ---------- [FrameworkBundle] Only enable CSRF protection when enabled in config | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | maybe? | Deprecations? | no | Tests pass? | I hope, master was already broken here | License | MIT bf85e83 introduced new service configuration for CSRF protection in the frameworkbundle. It is always enabled even if you don't use it. Since it also depends on enabling the session that's not so nice. Commits ------- 60dce14 [FrameworkBundle] Only enable CSRF protection when enabled in config
2 parents a8acbf8 + 60dce14 commit ca1cb27
Copy full SHA for ca1cb27
Expand file treeCollapse file tree

24 files changed

+292
-23
lines changed

‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php

Copy file name to clipboardExpand all lines: src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
+24-4Lines changed: 24 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,7 @@ public function getConfigTreeBuilder()
7878
->end()
7979
;
8080

81+
$this->addCsrfSection($rootNode);
8182
$this->addFormSection($rootNode);
8283
$this->addEsiSection($rootNode);
8384
$this->addFragmentsSection($rootNode);
@@ -93,18 +94,37 @@ public function getConfigTreeBuilder()
9394
return $treeBuilder;
9495
}
9596

97+
private function addCsrfSection(ArrayNodeDefinition $rootNode)
98+
{
99+
$rootNode
100+
->children()
101+
->arrayNode('csrf_protection')
102+
->canBeEnabled()
103+
->children()
104+
->scalarNode('field_name')
105+
->defaultValue('_token')
106+
->info('Deprecated: use form.csrf_protection.field_name instead.')
107+
->end()
108+
->end()
109+
->end()
110+
->end()
111+
;
112+
}
113+
96114
private function addFormSection(ArrayNodeDefinition $rootNode)
97115
{
98116
$rootNode
99117
->children()
100118
->arrayNode('form')
101119
->info('form configuration')
102120
->canBeEnabled()
103-
->end()
104-
->arrayNode('csrf_protection')
105-
->canBeDisabled()
106121
->children()
107-
->scalarNode('field_name')->defaultValue('_token')->end()
122+
->arrayNode('csrf_protection')
123+
->canBeDisabled()
124+
->children()
125+
->scalarNode('field_name')->defaultNull()->end()
126+
->end()
127+
->end()
108128
->end()
109129
->end()
110130
->end()

‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php

Copy file name to clipboardExpand all lines: src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
+39-9Lines changed: 39 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@
3131
class FrameworkExtension extends Extension
3232
{
3333
private $formConfigEnabled = false;
34+
private $sessionConfigEnabled = false;
3435

3536
/**
3637
* Responds to the app.config configuration parameter.
@@ -56,10 +57,6 @@ public function load(array $configs, ContainerBuilder $container)
5657

5758
$loader->load('debug_prod.xml');
5859

59-
// Enable services for CSRF protection (even without forms)
60-
$loader->load('security.xml');
61-
$loader->load('security_csrf.xml');
62-
6360
if ($container->getParameter('kernel.debug')) {
6461
$loader->load('debug.xml');
6562

@@ -92,9 +89,14 @@ public function load(array $configs, ContainerBuilder $container)
9289
}
9390

9491
if (isset($config['session'])) {
92+
$this->sessionConfigEnabled = true;
9593
$this->registerSessionConfiguration($config['session'], $container, $loader);
9694
}
9795

96+
$loader->load('security.xml');
97+
98+
$this->registerSecurityCsrfConfiguration($config['csrf_protection'], $container, $loader);
99+
98100
if ($this->isConfigEnabled($container, $config['form'])) {
99101
$this->formConfigEnabled = true;
100102
$this->registerFormConfiguration($config, $container, $loader);
@@ -158,15 +160,20 @@ public function load(array $configs, ContainerBuilder $container)
158160
private function registerFormConfiguration($config, ContainerBuilder $container, XmlFileLoader $loader)
159161
{
160162
$loader->load('form.xml');
161-
if ($this->isConfigEnabled($container, $config['csrf_protection'])) {
162-
if (!isset($config['session'])) {
163-
throw new \LogicException('CSRF protection needs that sessions are enabled.');
163+
if ($this->isConfigEnabled($container, $config['form']['csrf_protection'])) {
164+
if (!$this->isConfigEnabled($container, $config['csrf_protection'])) {
165+
throw new \LogicException('CSRF protection needs to be enabled in order to use CSRF protection for forms.');
164166
}
165167

166168
$loader->load('form_csrf.xml');
167169

168170
$container->setParameter('form.type_extension.csrf.enabled', true);
169-
$container->setParameter('form.type_extension.csrf.field_name', $config['csrf_protection']['field_name']);
171+
172+
if (null !== $config['form']['csrf_protection']['field_name']) {
173+
$container->setParameter('form.type_extension.csrf.field_name', $config['form']['csrf_protection']['field_name']);
174+
} else {
175+
$container->setParameter('form.type_extension.csrf.field_name', $config['csrf_protection']['field_name']);
176+
}
170177
} else {
171178
$container->setParameter('form.type_extension.csrf.enabled', false);
172179
}
@@ -696,7 +703,7 @@ private function getValidatorYamlMappingFiles(ContainerBuilder $container)
696703
return $files;
697704
}
698705

699-
private function registerAnnotationsConfiguration(array $config, ContainerBuilder $container,$loader)
706+
private function registerAnnotationsConfiguration(array $config, ContainerBuilder $container, $loader)
700707
{
701708
$loader->load('annotations.xml');
702709

@@ -722,6 +729,29 @@ private function registerAnnotationsConfiguration(array $config, ContainerBuilde
722729
}
723730
}
724731

732+
/**
733+
* Loads the security configuration.
734+
*
735+
* @param array $config A CSRF configuration array
736+
* @param ContainerBuilder $container A ContainerBuilder instance
737+
* @param XmlFileLoader $loader An XmlFileLoader instance
738+
*
739+
* @throws \LogicException
740+
*/
741+
private function registerSecurityCsrfConfiguration(array $config, ContainerBuilder $container, XmlFileLoader $loader)
742+
{
743+
if (!$this->isConfigEnabled($container, $config)) {
744+
return;
745+
}
746+
747+
if (!$this->sessionConfigEnabled) {
748+
throw new \LogicException('CSRF protection needs sessions to be enabled.');
749+
}
750+
751+
// Enable services for CSRF protection (even without forms)
752+
$loader->load('security_csrf.xml');
753+
}
754+
725755
/**
726756
* Returns the base path for the XSD files.
727757
*

‎src/Symfony/Bundle/FrameworkBundle/Resources/config/schema/symfony-1.0.xsd

Copy file name to clipboardExpand all lines: src/Symfony/Bundle/FrameworkBundle/Resources/config/schema/symfony-1.0.xsd
+8Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,15 @@
3131
</xsd:complexType>
3232

3333
<xsd:complexType name="form">
34+
<xsd:all>
35+
<xsd:element name="csrf-protection" type="form_csrf_protection" minOccurs="0" maxOccurs="1" />
36+
</xsd:all>
37+
<xsd:attribute name="enabled" type="xsd:boolean" />
38+
</xsd:complexType>
39+
40+
<xsd:complexType name="form_csrf_protection">
3441
<xsd:attribute name="enabled" type="xsd:boolean" />
42+
<xsd:attribute name="field-name" type="xsd:string" />
3543
</xsd:complexType>
3644

3745
<xsd:complexType name="csrf_protection">

‎src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php

Copy file name to clipboardExpand all lines: src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php
+8-2Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -93,9 +93,15 @@ protected static function getBundleDefaultConfig()
9393
'trusted_proxies' => array(),
9494
'ide' => null,
9595
'default_locale' => 'en',
96-
'form' => array('enabled' => false),
96+
'form' => array(
97+
'enabled' => false,
98+
'csrf_protection' => array(
99+
'enabled' => true,
100+
'field_name' => null,
101+
),
102+
),
97103
'csrf_protection' => array(
98-
'enabled' => true,
104+
'enabled' => false,
99105
'field_name' => '_token',
100106
),
101107
'esi' => array('enabled' => false),

‎src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/csrf.php

Copy file name to clipboard
+10Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
<?php
2+
3+
$container->loadFromExtension('framework', array(
4+
'form' => array(
5+
'enabled' => true,
6+
),
7+
'session' => array(
8+
'handler_id' => null,
9+
),
10+
));

‎src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/csrf_disabled.php

Copy file name to clipboard
+7Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
<?php
2+
3+
$container->loadFromExtension('framework', array(
4+
'csrf_protection' => array(
5+
'enabled' => false,
6+
),
7+
));

‎src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/csrf_needs_session.php

Copy file name to clipboard
+7Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
<?php
2+
3+
$container->loadFromExtension('framework', array(
4+
'csrf_protection' => array(
5+
'enabled' => true,
6+
),
7+
));

‎src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/form_csrf_sets_field_name.php

Copy file name to clipboard
+14Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
<?php
2+
3+
$container->loadFromExtension('framework', array(
4+
'csrf_protection' => array(
5+
'enabled' => true,
6+
'field_name' => '_custom'
7+
),
8+
'form' => array(
9+
'enabled' => true,
10+
),
11+
'session' => array(
12+
'handler_id' => null,
13+
),
14+
));

‎src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/form_csrf_under_form_sets_field_name.php

Copy file name to clipboard
+17Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
<?php
2+
3+
$container->loadFromExtension('framework', array(
4+
'csrf_protection' => array(
5+
'enabled' => true,
6+
'field_name' => '_custom'
7+
),
8+
'form' => array(
9+
'enabled' => true,
10+
'csrf_protection' => array(
11+
'field_name' => '_custom_form'
12+
),
13+
),
14+
'session' => array(
15+
'handler_id' => null,
16+
),
17+
));

‎src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/form_no_csrf.php

Copy file name to clipboard
+8Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
<?php
2+
3+
$container->loadFromExtension('framework', array(
4+
'form' => array(
5+
'enabled' => true,
6+
'csrf_protection' => false,
7+
),
8+
));

‎src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/csrf.xml

Copy file name to clipboard
+13Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
<?xml version="1.0" ?>
2+
3+
<container xmlns="http://symfony.com/schema/dic/services"
4+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5+
xmlns:framework="http://symfony.com/schema/dic/symfony"
6+
xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd
7+
http://symfony.com/schema/dic/symfony http://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
8+
9+
<framework:config>
10+
<framework:form />
11+
<framework:session />
12+
</framework:config>
13+
</container>

‎src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/csrf_disabled.xml

Copy file name to clipboard
+12Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
<?xml version="1.0" ?>
2+
3+
<container xmlns="http://symfony.com/schema/dic/services"
4+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5+
xmlns:framework="http://symfony.com/schema/dic/symfony"
6+
xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd
7+
http://symfony.com/schema/dic/symfony http://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
8+
9+
<framework:config>
10+
<framework:csrf-protection enabled="false" />
11+
</framework:config>
12+
</container>

‎src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/csrf_needs_session.xml

Copy file name to clipboard
+12Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
<?xml version="1.0" ?>
2+
3+
<container xmlns="http://symfony.com/schema/dic/services"
4+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5+
xmlns:framework="http://symfony.com/schema/dic/symfony"
6+
xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd
7+
http://symfony.com/schema/dic/symfony http://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
8+
9+
<framework:config>
10+
<framework:csrf-protection />
11+
</framework:config>
12+
</container>

‎src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/form_csrf_sets_field_name.xml

Copy file name to clipboard
+14Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
<?xml version="1.0" ?>
2+
3+
<container xmlns="http://symfony.com/schema/dic/services"
4+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5+
xmlns:framework="http://symfony.com/schema/dic/symfony"
6+
xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd
7+
http://symfony.com/schema/dic/symfony http://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
8+
9+
<framework:config>
10+
<framework:csrf-protection field-name="_custom" />
11+
<framework:form />
12+
<framework:session />
13+
</framework:config>
14+
</container>

‎src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/form_csrf_under_form_sets_field_name.xml

Copy file name to clipboard
+16Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
<?xml version="1.0" ?>
2+
3+
<container xmlns="http://symfony.com/schema/dic/services"
4+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5+
xmlns:framework="http://symfony.com/schema/dic/symfony"
6+
xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd
7+
http://symfony.com/schema/dic/symfony http://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
8+
9+
<framework:config>
10+
<framework:csrf-protection field-name="_custom" />
11+
<framework:form>
12+
<framework:csrf-protection field-name="_custom_form" />
13+
</framework:form>
14+
<framework:session />
15+
</framework:config>
16+
</container>

‎src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/form_no_csrf.xml

Copy file name to clipboard
+14Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
<?xml version="1.0" ?>
2+
3+
<container xmlns="http://symfony.com/schema/dic/services"
4+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5+
xmlns:framework="http://symfony.com/schema/dic/symfony"
6+
xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd
7+
http://symfony.com/schema/dic/symfony http://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
8+
9+
<framework:config>
10+
<framework:form enabled="true">
11+
<framework:csrf-protection enabled="false" />
12+
</framework:form>
13+
</framework:config>
14+
</container>

‎src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/csrf.yml

Copy file name to clipboardExpand all lines: src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/csrf.yml
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,5 +2,5 @@ framework:
22
secret: s3cr3t
33
form: ~
44
session: ~
5-
# CSRF should be enabled by default
5+
# CSRF is disabled by default
66
# csrf_protection: ~

‎src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/csrf_disabled.yml

Copy file name to clipboard
+2Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
framework:
2+
csrf_protection: false

‎src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/csrf_needs_session.yml

Copy file name to clipboard
+2Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
framework:
2+
csrf_protection: ~

‎src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/form_csrf_sets_field_name.yml

Copy file name to clipboard
+5Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
framework:
2+
csrf_protection:
3+
field_name: _custom
4+
form: ~
5+
session: ~

‎src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/form_csrf_under_form_sets_field_name.yml

Copy file name to clipboard
+7Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
framework:
2+
csrf_protection:
3+
field_name: _custom
4+
form:
5+
csrf_protection:
6+
field_name: _custom_form
7+
session: ~

‎src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/form_no_csrf.yml

Copy file name to clipboard
+4Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
framework:
2+
form:
3+
csrf_protection:
4+
enabled: false

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.