[Form] Fixed: CSRF protection did not run if token was missing

webmozart · webmozart · commit c623fcf4d417 · 2012-04-27T09:47:16.000+02:00
diff --git a/src/Symfony/Component/Form/Extension/Csrf/EventListener/CsrfValidationListener.php b/src/Symfony/Component/Form/Extension/Csrf/EventListener/CsrfValidationListener.php
@@ -63,8 +63,8 @@ public function onBindClientData(FilterDataEvent $event)
         $form = $event->getForm();
         $data = $event->getData();
 
-        if ($form->isRoot() && $form->hasChildren() && isset($data[$this->fieldName])) {
-            if (!$this->csrfProvider->isCsrfTokenValid($this->intention, $data[$this->fieldName])) {
+        if ($form->isRoot() && $form->hasChildren()) {
+            if (!isset($data[$this->fieldName]) || !$this->csrfProvider->isCsrfTokenValid($this->intention, $data[$this->fieldName])) {
                 $form->addError(new FormError('The CSRF token is invalid. Please try to resubmit the form'));
             }
 
diff --git a/src/Symfony/Component/Form/Tests/Extension/Csrf/Type/FormTypeCsrfExtensionTest.php b/src/Symfony/Component/Form/Tests/Extension/Csrf/Type/FormTypeCsrfExtensionTest.php
@@ -171,6 +171,32 @@ public function testValidateTokenOnBindIfRootAndChildren($valid)
         $this->assertSame($valid, $form->isValid());
     }
 
+    public function testFailIfRootAndChildrenAndTokenMissing()
+    {
+        $this->csrfProvider->expects($this->never())
+            ->method('isCsrfTokenValid');
+
+        $form = $this->factory
+            ->createBuilder('form', null, array(
+                'csrf_field_name' => 'csrf',
+                'csrf_provider' => $this->csrfProvider,
+                'intention' => '%INTENTION%'
+            ))
+            ->add($this->factory->createNamedBuilder('form', 'child'))
+            ->getForm();
+
+        $form->bind(array(
+            'child' => 'foobar',
+            // token is missing
+        ));
+
+        // Remove token from data
+        $this->assertSame(array('child' => 'foobar'), $form->getData());
+
+        // Validate accordingly
+        $this->assertFalse($form->isValid());
+    }
+
     public function testDontValidateTokenIfChildrenButNoRoot()
     {
         $this->csrfProvider->expects($this->never())

Original file line number	Diff line number	Diff line change
`@@ -63,8 +63,8 @@ public function onBindClientData(FilterDataEvent $event)`
`63`	`63`	`$form = $event->getForm();`
`64`	`64`	`$data = $event->getData();`
`65`	`65`
`66`		`- if ($form->isRoot() && $form->hasChildren() && isset($data[$this->fieldName])) {`
`67`		`- if (!$this->csrfProvider->isCsrfTokenValid($this->intention, $data[$this->fieldName])) {`
	`66`	`+ if ($form->isRoot() && $form->hasChildren()) {`
	`67`	`+ if (!isset($data[$this->fieldName]) \|\| !$this->csrfProvider->isCsrfTokenValid($this->intention, $data[$this->fieldName])) {`
`68`	`68`	`$form->addError(new FormError('The CSRF token is invalid. Please try to resubmit the form'));`
`69`	`69`	`}`
`70`	`70`