8000 [Form] Simplified CSRF mechanism and removed "csrf" type · symfony/symfony@2a49449 · GitHub
[go: up one dir, main page]

Skip to content

Commit 2a49449

Browse files
committed
[Form] Simplified CSRF mechanism and removed "csrf" type
CSRF fields are now only added when the view is built. For this reason we already know if the form is the root form and avoid to create unnecessary CSRF fields for nested fields.
1 parent e7470ff commit 2a49449

22 files changed

+369
-619
lines changed

CHANGELOG-2.1.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -269,6 +269,7 @@ To get the diff between two versions, go to https://github.com/symfony/symfony/c
269269
don't receive an options array anymore.
270270
* Deprecated FormValidatorInterface and substituted its implementations
271271
by event subscribers
272+
* simplified CSRF protection and removed the csrf type
272273

273274
### HttpFoundation
274275

src/Symfony/Bundle/FrameworkBundle/Resources/config/form_csrf.xml

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -14,12 +14,9 @@
1414
<argument>%kernel.secret%</argument>
1515
</service>
1616

17-
<service id="form.type.csrf" class="Symfony\Component\Form\Extension\Csrf\Type\CsrfType">
18-
<tag name="form.type" alias="csrf" />
19-
<argument type="service" id="form.csrf_provider" />
20-
</service>
2117
<service id="form.type_extension.csrf" class="Symfony\Component\Form\Extension\Csrf\Type\FormTypeCsrfExtension">
2218
<tag name="form.type_extension" alias="form" />
19+
<argument type="service" id="form.csrf_provider" />
2320
<argument>%form.type_extension.csrf.enabled%</argument>
2421
<argument>%form.type_extension.csrf.field_name%</argument>
2522
</service>

src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,9 +27,9 @@ public function testCsrfProtection()
2727
$def = $container->getDefinition('form.type_extension.csrf');
2828

2929
$this->assertTrue($container->getParameter('form.type_extension.csrf.enabled'));
30-
$this->assertEquals('%form.type_extension.csrf.enabled%', $def->getArgument(0));
30+
$this->assertEquals('%form.type_extension.csrf.enabled%', $def->getArgument(1));
3131
$this->assertEquals('_csrf', $container->getParameter('form.type_extension.csrf.field_name'));
32-
$this->assertEquals('%form.type_extension.csrf.field_name%', $def->getArgument(1));
32+
$this->assertEquals('%form.type_extension.csrf.field_name%', $def->getArgument(2));
3333
$this->assertEquals('s3cr3t', $container->getParameterBag()->resolveValue($container->findDefinition('form.csrf_provider')->getArgument(1)));
3434
}
3535

src/Symfony/Component/Form/Extension/Csrf/CsrfExtension.php

Lines changed: 1 addition & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -32,27 +32,13 @@ public function __construct(CsrfProviderInterface $csrfProvider)
3232
$this->csrfProvider = $csrfProvider;
3333
}
3434

35-
/**
36-
* {@inheritDoc}
37-
*/
38-
protected function loadTypes()
39-
{
40-
return array(
41-
new Type\CsrfType($this->csrfProvider),
42-
);
43-
}
44-
4535
/**
4636
* {@inheritDoc}
4737
*/
4838
protected function loadTypeExtensions()
4939
{
5040
return array(
51-
new Type\ChoiceTypeCsrfExtension(),
52-
new Type\DateTypeCsrfExtension(),
53-
new Type\FormTypeCsrfExtension(),
54-
new Type\RepeatedTypeCsrfExtension(),
55-
new Type\TimeTypeCsrfExtension(),
41+
new Type\FormTypeCsrfExtension($this->csrfProvider),
5642
);
5743
}
5844
}

src/Symfony/Component/Form/Extension/Csrf/EventListener/CsrfValidationListener.php

Lines changed: 17 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -14,14 +14,20 @@
1414
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
1515
use Symfony\Component\Form\FormEvents;
1616
use Symfony\Component\Form\FormError;
17-
use Symfony\Component\Form\Event\DataEvent;
17+
use Symfony\Component\Form\Event\FilterDataEvent;
1818
use Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface;
1919

2020
/**
2121
* @author Bernhard Schussek <bschussek@gmail.com>
2222
*/
2323
class CsrfValidationListener implements EventSubscriberInterface
2424
{
25+
/**
26+
* The name of the CSRF field
27+
* @var string
28+
*/
29+
private $fieldName;
30+
2531
/**
2632
* The provider for generating and validating CSRF tokens
2733
* @var CsrfProviderInterface
@@ -45,24 +51,26 @@ static public function getSubscribedEvents()
4551
);
4652
}
4753

48-
public function __construct(CsrfProviderInterface $csrfProvider, $intention)
54+
public function __construct($fieldName, CsrfProviderInterface $csrfProvider, $intention)
4955
{
56+
$this->fieldName = $fieldName;
5057
$this->csrfProvider = $csrfProvider;
5158
$this->intention = $intention;
5259
}
5360

54-
public function onBindClientData(DataEvent $event)
61+
public function onBindClientData(FilterDataEvent $event)
5562
{
5663
$form = $event->getForm();
5764
$data = $event->getData();
5865

59-
if ((!$form->hasParent() || $form->getParent()->isRoot())
60-
&& !$this->csrfProvider->isCsrfTokenValid($this->intention, $data)) {
61-
$form->addError(new FormError('The CSRF token is invalid. Please try to resubmit the form'));
66+
if ($form->isRoot() && $form->hasChildren() && isset($data[$this->fieldName])) {
67+
if (!$this->csrfProvider->isCsrfTokenValid($this->intention, $data[$this->fieldName])) {
68+
$form->addError(new FormError('The CSRF token is invalid. Please try to resubmit the form'));
69+
}
6270

63-
// If the session timed out, the token is invalid now.
64-
// Regenerate the token so that a resubmission is possible.
65-
$event->setData($this->csrfProvider->generateCsrfToken($this->intention));
71+
unset($data[$this->fieldName]);
6672
}
73+
74+
$event->setData($data);
6775
}
6876
}

src/Symfony/Component/Form/Extension/Csrf/EventListener/EnsureCsrfFieldListener.php

Lines changed: 0 additions & 66 deletions
This file was deleted.

src/Symfony/Component/Form/Extension/Csrf/Type/ChoiceTypeCsrfExtension.php

Lines changed: 0 additions & 27 deletions
This file was deleted.

src/Symfony/Component/Form/Extension/Csrf/Type/CsrfType.php

Lines changed: 0 additions & 83 deletions
This file was deleted.

src/Symfony/Component/Form/Extension/Csrf/Type/DateTypeCsrfExtension.php

Lines changed: 0 additions & 27 deletions
This file was deleted.

0 commit comments

Comments
 (0)
0