8000 [5.3 beta2][Security] Can't validate manual CSRF (test env only) · Issue #41046 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content
[5.3 beta2][Security] Can't validate manual CSRF (test env only) #41046
New issue
New issue
Closed
Closed
[5.3 beta2][Security] Can't validate manual CSRF (test env only)#41046
Labels
BugSecurityStatus: Needs Review
@COil

Description

@COil
COil
opened on May 2, 2021

Symfony version(s) affected: 5.3 beta2

Description
A csrf token put inside a twig template with the csrf_token() helper can't be validated any-more. This only occurs when using the test environment (PHPUnit 7.5.20) .

How to reproduce

Twig :

<input type="hidden" name="_token" value="{{ csrf_token('delete'~event.id) }}">

Controller :

    if ($this->isCsrfTokenValid('delete'.$event->getId(), $request->request->get('_token'))) {

Test :

    $csrfToken = self::getContainer()->get('security.csrf.token_manager')->getToken('delete1')->getValue();
    echo $csrfToken;
    $client->request('DELETE', '/event/delete/1', [
        '_token' => $csrfToken,
    ]);

Possible Solution
Seems related to the test environment as everything works correctly in dev or prod.

Additional context

  • Everything was OK with 5.2.6.
  • The problem occurs everywhere csrf_token( is used in a template

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugSecurityStatus: Needs Review

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0