alexfilatov
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/FrameworkBundle.php
Lines changed: 0 additions & 17 deletions b/‎src/Symfony/Bundle/FrameworkBundle/FrameworkBundle.php
Lines changed: 0 additions & 17 deletions
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/Resources/config/form.xml
Lines changed: 9 additions & 4 deletions b/‎src/Symfony/Bundle/FrameworkBundle/Resources/config/form.xml
Lines changed: 9 additions & 4 deletions
diff --git a/‎src/Symfony/Component/Form/CsrfProvider/CsrfProviderInterface.php
Lines changed: 51 additions & 0 deletions b/‎src/Symfony/Component/Form/CsrfProvider/CsrfProviderInterface.php
Lines changed: 51 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Form/CsrfProvider/DefaultCsrfProvider.php
Lines changed: 71 additions & 0 deletions b/‎src/Symfony/Component/Form/CsrfProvider/DefaultCsrfProvider.php
Lines changed: 71 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Form/CsrfProvider/SessionCsrfProvider.php
Lines changed: 57 additions & 0 deletions b/‎src/Symfony/Component/Form/CsrfProvider/SessionCsrfProvider.php
Lines changed: 57 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Form/Form.php
Lines changed: 20 additions & 11 deletions b/‎src/Symfony/Component/Form/Form.php
Lines changed: 20 additions & 11 deletions
@@ -48,23 +48,6 @@ public function boot()
         if ($this->container->hasParameter('document_root')) {
             File::setDocumentRoot($this->container->getParameter('document_root'));
         }
-
-        // the session ID should always be included in the CSRF token, even
-        // if default CSRF protection is not enabled
-        if ($container->has('form.default_context') && $container->has('session')) {
-            $addSessionId = function () use ($container) {
-                // automatically starts the session when the CSRF token is
-                // generated
-                $container->get('session')->start();
-
-                return $container->get('session')->getId();
-            };
-
-//            $container->getDefinition('form.default_context')
-//                    ->addMethodCall('addCsrfSecret', array($addSessionId));
-//
-//                    var_dump($container->getDefinition('form.default_context'));
-        }
     }
 
     public function registerExtensions(ContainerBuilder $container)
 
@@ -8,6 +8,7 @@
         <parameter key="form.factory.class">Symfony\Component\Form\FormFactory</parameter>
         <parameter key="form.field_factory.class">Symfony\Component\Form\FieldFactory\FieldFactory</parameter>
         <parameter key="form.field_factory.validator_guesser.class">Symfony\Component\Form\FieldFactory\ValidatorFieldFactoryGuesser</parameter>
+        <parameter key="form.csrf_provider.class">Symfony\Component\Form\CsrfProvider\SessionCsrfProvider</parameter>
         <parameter key="form.default_context.class">Symfony\Component\Form\FormContext</parameter>
         <parameter key="form.csrf_protection.enabled">true</parameter>
         <parameter key="form.csrf_protection.field_name">_token</parameter>
@@ -32,6 +33,12 @@
         	<tag name="form.field_factory.guesser" />
         	<argument type="service" id="validator.mapping.class_metadata_factory" />
         </service>
+        
+        <!-- CsrfProvider -->
+        <service id="form.csrf_provider" class="%form.csrf_provider.class%" public="false">
+        	<argument type="service" id="session" />
+        	<argument>%form.csrf_protection.secret%</argument>
+        </service>
 
     	<!-- FormContext -->
         <service id="form.default_context" class="%form.default_context.class%">
@@ -51,10 +58,8 @@
             <call method="csrfFieldName">
                 <argument>%form.csrf_protection.field_name%</argument>
             </call>
-            <call method="csrfSecrets">
-            	<argument type="collection">
-                	<argument>%form.csrf_protection.secret%</argument>
-                </argument>
+            <call method="csrfProvider">
+                <argument type="service" id="form.csrf_provider" />
             </call>
         </service>
 
 
@@ -0,0 +1,51 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien.potencier@symfony-project.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Form\CsrfProvider;
+
+/**
+ * Marks classes able to provide CSRF protection
+ *
+ * You can generate a CSRF token by using the method generateCsrfToken(). To
+ * this method you should pass a value that is unique to the page that should
+ * be secured against CSRF attacks. This value doesn't necessarily have to be
+ * secret. Implementations of this interface are responsible for adding more
+ * secret information.
+ *
+ * If you want to secure a form submission against CSRF attacks, you could
+ * use the class name of the form as page ID. This way you make sure that the
+ * form can only be submitted to pages that are designed to handle the form,
+ * that is, that use the same class name to validate the CSRF token with
+ * isCsrfTokenValid().
+ *
+ * @author Bernhard Schussek <bernhard.schussek@symfony-project.com>
+ */
+interface CsrfProviderInterface
+{
+    /**
+     * Generates a CSRF token for a page of your application
+     *
+     * @param string $pageId  Some value that identifies the page (for example,
+     *                        the class name of the form). Doesn't have to be
+     *                        a secret value.
+     */
+    public function generateCsrfToken($pageId);
+
+    /**
+     * Validates a CSRF token
+     *
+     * @param  string $pageId  The page ID used when generating the CSRF token
+     * @param  string $token   The token supplied by the browser
+     * @return boolean         Whether the token supplied by the browser is
+     *                         correct
+     */
+    public function isCsrfTokenValid($pageId, $token);
+}
@@ -0,0 +1,71 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien.potencier@symfony-project.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Form\CsrfProvider;
+
+/**
+ * Default implementation of CsrfProviderInterface
+ *
+ * This provider uses the session ID returned by session_id() as well as a
+ * user-defined secret value to secure the CSRF token.
+ *
+ * @author Bernhard Schussek <bernhard.schussek@symfony-project.com>
+ */
+class DefaultCsrfProvider implements CsrfProviderInterface
+{
+    /**
+     * A secret value used for generating the CSRF token
+     * @var string
+     */
+    protected $secret;
+
+    /**
+     * Initializes the provider with a secret value
+     *
+     * @param string $secret  A secret value included in the CSRF token
+     */
+    public function __construct($secret)
+    {
+        $this->secret = $secret;
+    }
+
+    /**
+     * Returns the ID of the user session
+     *
+     * Automatically starts the session if necessary.
+     *
+     * @return string  The session ID
+     */
+    protected function getSessionId()
+    {
+        if (!session_id()) {
+            session_start();
+        }
+
+        return session_id();
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public function generateCsrfToken($pageId)
+    {
+        return sha1($this->secret.$pageId.$this->getSessionId());
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public function isCsrfTokenValid($pageId, $token)
+    {
+        return $token === $this->generateCsrfToken($pageId);
+    }
+}
@@ -0,0 +1,57 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien.potencier@symfony-project.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Form\CsrfProvider;
+
+use Symfony\Component\HttpFoundation\Session;
+
+/**
+ * This provider uses a Symfony2 Session object to retrieve the user's
+ * session ID
+ *
+ * @author Bernhard Schussek <bernhard.schussek@symfony-project.com>
+ * @see DefaultCsrfProvider
+ */
+class SessionCsrfProvider extends DefaultCsrfProvider
+{
+    /**
+     * The user session from which the session ID is returned
+     * @var Session
+     */
+    protected $session;
+
+    /**
+     * Initializes the provider with a Session object and a secret value
+     *
+     * @param Session $session  The user session
+     * @param string $secret    A secret value included in the CSRF token
+     */
+    public function __construct(Session $session, $secret)
+    {
+        parent::__construct($secret);
+
+        $this->session = $session;
+    }
+
+    /**
+     * Returns the ID of the user session
+     *
+     * Automatically starts the session if necessary.
+     *
+     * @return string  The session ID
+     */
+    protected function getSessionId()
+    {
+        $this->session->start();
+
+        return $this->session->getId();
+    }
+}
@@ -13,6 +13,7 @@
 
 use Symfony\Component\Validator\ValidatorInterface;
 use Symfony\Component\Form\Exception\FormException;
+use Symfony\Component\Form\CsrfProvider\CsrfProviderInterface;
 
 /**
  * Form represents a form.
@@ -31,6 +32,10 @@
  */
 class Form extends FieldGroup
 {
+    /**
+     * The validator to validate form values
+     * @var ValidatorInterface
+     */
     protected $validator = null;
 
     /**
@@ -50,9 +55,8 @@ public function __construct($name, $data = null, ValidatorInterface $validator =
             $this->setData($data);
         }
 
-        $this->addOption('csrf_protection');
         $this->addOption('csrf_field_name', '_token');
-        $this->addOption('csrf_secrets', array(__FILE__.php_uname()));
+        $this->addOption('csrf_provider');
         $this->addOption('field_factory');
         $this->addOption('validation_groups');
 
@@ -69,11 +73,17 @@ public function __construct($name, $data = null, ValidatorInterface $validator =
         }
 
         // Enable CSRF protection, if necessary
-        if ($this->getOption('csrf_protection')) {
+        if ($this->getOption('csrf_provider')) {
+            if (!$this->getOption('csrf_provider') instanceof CsrfProviderInterface) {
+                throw new FormException('The object passed to the "csrf_provider" option must implement CsrfProviderInterface');
+            }
+
+            $token = $this->getOption('csrf_provider')->generateCsrfToken(get_class($this));
+
             $field = new HiddenField($this->getOption('csrf_field_name'), array(
                 'property_path' => null,
             ));
-            $field->setData($this->generateCsrfToken($this->getOption('csrf_secrets')));
+            $field->setData($token);
 
             $this->add($field);
         }
@@ -121,13 +131,13 @@ public function getCsrfFieldName()
     }
 
     /**
-     * Returns the secret values used for the CSRF protection
+     * Returns the provider used for generating and validating CSRF tokens
      *
-     * @return array  A list of string valuesf
+     * @return CsrfProviderInterface  The provider instance
      */
-    public function getCsrfSecrets()
+    public function getCsrfProvider()
     {
-        return $this->getOption('csrf_secrets');
+        return $this->getOption('csrf_provider');
     }
 
     /**
@@ -236,10 +246,9 @@ public function isCsrfTokenValid()
         if (!$this->isCsrfProtected()) {
             return true;
         } else {
-            $actual = $this->get($this->getOption('csrf_field_name'))->getDisplayedData();
-            $expected = $this->generateCsrfToken($this->getOption('csrf_secrets'));
+            $token = $this->get($this->getOption('csrf_field_name'))->getDisplayedData();
 
-            return $actual === $expected;
+            return $this->getOption('csrf_provider')->isCsrfTokenValid(get_class($this), $token);
         }
     }