Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit f3ac9f5

Browse filesBrowse files
nicolas-grekasnicolas-grekas
committed
bug #25508 [FrameworkBundle] Auto-enable CSRF if the component *+ session* are loaded (nicolas-grekas)
This PR was merged into the 3.4 branch. Discussion ---------- [FrameworkBundle] Auto-enable CSRF if the component *+ session* are loaded | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | symfony/recipes#262 | License | MIT | Doc PR | - By binding CSRF and session default state, we provide better DX, but we also provide a way for bundles to enable session on its own: they just need to require "symfony/security-csrf". Yes, that's a side effect, but I think that's a nice one for 3.4/4.0. Of course, we might do better in 4.1, but for bug fix only releases, LGTM. Commits ------- 9e8231f [FrameworkBundle] Automatically enable the CSRF if component *+ session* are loaded
2 parents 283e8d3 + 9e8231f commit f3ac9f5
Copy full SHA for f3ac9f5

File tree

2 files changed

+16
-3
lines changed
Filter options

2 files changed

+16
-3
lines changed

‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php

Copy file name to clipboardExpand all lines: src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
+9-1Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@
2121
use Symfony\Component\Form\Form;
2222
use Symfony\Component\Lock\Lock;
2323
use Symfony\Component\Lock\Store\SemaphoreStore;
24+
use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
2425
use Symfony\Component\Serializer\Serializer;
2526
use Symfony\Component\Translation\Translator;
2627
use Symfony\Component\Validator\Validation;
@@ -142,7 +143,14 @@ private function addCsrfSection(ArrayNodeDefinition $rootNode)
142143
$rootNode
143144
->children()
144145
->arrayNode('csrf_protection')
145-
->canBeEnabled()
146+
->treatFalseLike(array('enabled' => false))
147+
->treatTrueLike(array('enabled' => true))
148+
->treatNullLike(array('enabled' => true))
149+
->addDefaultsIfNotSet()
150+
->children()
151+
// defaults to framework.session.enabled && !class_exists(FullStack::class) && interface_exists(CsrfTokenManagerInterface::class)
152+
->booleanNode('enabled')->defaultNull()->end()
153+
->end()
146154
->end()
147155
->end()
148156
;

‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php

Copy file name to clipboardExpand all lines: src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
+7-2Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@
1717
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
1818
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
1919
use Symfony\Bundle\FrameworkBundle\Routing\AnnotatedRouteControllerLoader;
20+
use Symfony\Bundle\FullStack;
2021
use Symfony\Component\Cache\Adapter\AbstractAdapter;
2122
use Symfony\Component\Cache\Adapter\AdapterInterface;
2223
use Symfony\Component\Cache\Adapter\ArrayAdapter;
@@ -65,6 +66,7 @@
6566
use Symfony\Component\Routing\Loader\AnnotationDirectoryLoader;
6667
use Symfony\Component\Routing\Loader\AnnotationFileLoader;
6768
use Symfony\Component\Security\Core\Security;
69+
use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
6870
use Symfony\Component\Serializer\Encoder\DecoderInterface;
6971
use Symfony\Component\Serializer\Encoder\EncoderInterface;
7072
use Symfony\Component\Serializer\Mapping\Factory\CacheClassMetadataFactory;
@@ -231,6 +233,11 @@ public function load(array $configs, ContainerBuilder $container)
231233
$this->registerRequestConfiguration($config['request'], $container, $loader);
232234
}
233235

236+
if (null === $config['csrf_protection']['enabled']) {
237+
$config['csrf_protection']['enabled'] = $this->sessionConfigEnabled && !class_exists(FullStack::class) && interface_exists(CsrfTokenManagerInterface::class);
238+
}
239+
$this->registerSecurityCsrfConfiguration($config['csrf_protection'], $container, $loader);
240+
234241
if ($this->isConfigEnabled($container, $config['form'])) {
235242
if (!class_exists('Symfony\Component\Form\Form')) {
236243
throw new LogicException('Form support cannot be enabled as the Form component is not installed.');
@@ -251,8 +258,6 @@ public function load(array $configs, ContainerBuilder $container)
251258
$container->removeDefinition('console.command.form_debug');
252259
}
253260

254-
$this->registerSecurityCsrfConfiguration($config['csrf_protection'], $container, $loader);
255-
256261
if ($this->isConfigEnabled($container, $config['assets'])) {
257262
if (!class_exists('Symfony\Component\Asset\Package')) {
258263
throw new LogicException('Asset support cannot be enabled as the Asset component is not installed.');

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.