diogo
/
symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[Form] Deprecated the CSRF implementation and added an optional dependency to the Security CSRF sub-component instead

This commit is contained in:
Bernhard Schussek 2013-09-27 09:37:01 +02:00
parent 85d49597a9
commit 2048cf6d35
22 changed files with 154 additions and 114 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
UPGRADE-3.0.md
View File

@ -168,6 +168,13 @@ UPGRADE FROM 2.x to 3.0
`ChoiceListInterface::getChoicesForValues()` and `ChoiceListInterface::getChoicesForValues()` and
`ChoiceListInterface::getValuesForChoices()` should be sufficient. `ChoiceListInterface::getValuesForChoices()` should be sufficient.
* The interface `Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface`
and all of its implementations were removed. Use the new interface
`Symfony\Component\Security\Csrf\CsrfTokenGeneratorInterface` instead.
* The options "csrf_provider" and "intention" were renamed to "csrf_token_generator"
and "csrf_token_id".
### FrameworkBundle ### FrameworkBundle

6
src/Symfony/Bridge/Twig/Form/TwigRenderer.php
View File

@ -12,7 +12,7 @@
namespace Symfony\Bridge\Twig\Form; namespace Symfony\Bridge\Twig\Form;
use Symfony\Component\Form\FormRenderer; use Symfony\Component\Form\FormRenderer;
use Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface; use Symfony\Component\Security\Csrf\CsrfTokenGeneratorInterface;
/** /**
* @author Bernhard Schussek <bschussek@gmail.com> * @author Bernhard Schussek <bschussek@gmail.com>
@ -24,9 +24,9 @@ class TwigRenderer extends FormRenderer implements TwigRendererInterface
*/ */
private $engine; private $engine;
public function __construct(TwigRendererEngineInterface $engine, CsrfProviderInterface $csrfProvider = null) public function __construct(TwigRendererEngineInterface $engine, CsrfTokenGeneratorInterface $csrfTokenGenerator = null)
{ {
parent::__construct($engine, $csrfProvider); parent::__construct($engine, $csrfTokenGenerator);
$this->engine = $engine; $this->engine = $engine;
} }

2
src/Symfony/Bundle/FrameworkBundle/Templating/Helper/FormHelper.php
View File

@ -247,7 +247,7 @@ class FormHelper extends Helper
* Check the token in your action using the same intention. * Check the token in your action using the same intention.
* *
* <code> * <code>
* $csrfProvider = $this->get('form.csrf_provider'); * $csrfProvider = $this->get('security.csrf.token_generator');
* if (!$csrfProvider->isCsrfTokenValid('rm_user_'.$user->getId(), $token)) { * if (!$csrfProvider->isCsrfTokenValid('rm_user_'.$user->getId(), $token)) {
* throw new \RuntimeException('CSRF attack detected.'); * throw new \RuntimeException('CSRF attack detected.');
* } * }

2
src/Symfony/Bundle/FrameworkBundle/Tests/Templating/Helper/FormHelperDivLayoutTest.php
View File

@ -46,7 +46,7 @@ class FormHelperDivLayoutTest extends AbstractDivLayoutTest
)); ));
return array_merge(parent::getExtensions(), array( return array_merge(parent::getExtensions(), array(
new TemplatingExtension($this->engine, $this->csrfProvider, array( new TemplatingExtension($this->engine, $this->csrfTokenGenerator, array(
'FrameworkBundle:Form', 'FrameworkBundle:Form',
)), )),
)); ));

2
src/Symfony/Bundle/FrameworkBundle/Tests/Templating/Helper/FormHelperTableLayoutTest.php
View File

@ -46,7 +46,7 @@ class FormHelperTableLayoutTest extends AbstractTableLayoutTest
)); ));
return array_merge(parent::getExtensions(), array( return array_merge(parent::getExtensions(), array(
new TemplatingExtension($this->engine, $this->csrfProvider, array( new TemplatingExtension($this->engine, $this->csrfTokenGenerator, array(
'FrameworkBundle:Form', 'FrameworkBundle:Form',
'FrameworkBundle:FormTable', 'FrameworkBundle:FormTable',
)), )),

8
src/Symfony/Component/Form/CHANGELOG.md
View File

@ -1,9 +1,15 @@
CHANGELOG CHANGELOG
========= =========
2.4.0
-----
* moved CSRF implementation to the new Security CSRF sub-component
* deprecated CsrfProviderInterface and its implementations
* deprecated options "csrf_provider" and "intention" in favor of the new options "csrf_token_generator" and "csrf_token_id"
2.3.0 2.3.0
------ -----
* deprecated FormPerformanceTestCase and FormIntegrationTestCase in the Symfony\Component\Form\Tests namespace and moved them to the Symfony\Component\Form\Test namespace * deprecated FormPerformanceTestCase and FormIntegrationTestCase in the Symfony\Component\Form\Tests namespace and moved them to the Symfony\Component\Form\Test namespace
* deprecated TypeTestCase in the Symfony\Component\Form\Tests\Extension\Core\Type namespace and moved it to the Symfony\Component\Form\Test namespace * deprecated TypeTestCase in the Symfony\Component\Form\Tests\Extension\Core\Type namespace and moved it to the Symfony\Component\Form\Test namespace

18
src/Symfony/Component/Form/Extension/Csrf/CsrfExtension.php
View File

@ -12,8 +12,8 @@
namespace Symfony\Component\Form\Extension\Csrf; namespace Symfony\Component\Form\Extension\Csrf;
use Symfony\Component\Form\Extension\Csrf\Type; use Symfony\Component\Form\Extension\Csrf\Type;
use Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface;
use Symfony\Component\Form\AbstractExtension; use Symfony\Component\Form\AbstractExtension;
use Symfony\Component\Security\Csrf\CsrfTokenGeneratorInterface;
use Symfony\Component\Translation\TranslatorInterface; use Symfony\Component\Translation\TranslatorInterface;
/** /**
@ -24,9 +24,9 @@ use Symfony\Component\Translation\TranslatorInterface;
class CsrfExtension extends AbstractExtension class CsrfExtension extends AbstractExtension
{ {
/** /**
* @var CsrfProviderInterface * @var CsrfTokenGeneratorInterface
*/ */
private $csrfProvider; private $tokenGenerator;
/** /**
* @var TranslatorInterface * @var TranslatorInterface
@ -41,13 +41,13 @@ class CsrfExtension extends AbstractExtension
/** /**
* Constructor. * Constructor.
* *
* @param CsrfProviderInterface $csrfProvider The CSRF provider * @param CsrfTokenGeneratorInterface $tokenGenerator The CSRF token generator
* @param TranslatorInterface $translator The translator for translating error messages. * @param TranslatorInterface $translator The translator for translating error messages
* @param null|string $translationDomain The translation domain for translating. * @param null|string $translationDomain The translation domain for translating
*/ */
public function __construct(CsrfProviderInterface $csrfProvider, TranslatorInterface $translator = null, $translationDomain = null) public function __construct(CsrfTokenGeneratorInterface $tokenGenerator, TranslatorInterface $translator = null, $translationDomain = null)
{ {
$this->csrfProvider = $csrfProvider; $this->tokenGenerator = $tokenGenerator;
$this->translator = $translator; $this->translator = $translator;
$this->translationDomain = $translationDomain; $this->translationDomain = $translationDomain;
} }
@ -58,7 +58,7 @@ class CsrfExtension extends AbstractExtension
protected function loadTypeExtensions() protected function loadTypeExtensions()
{ {
return array( return array(
new Type\FormTypeCsrfExtension($this->csrfProvider, true, '_token', $this->translator, $this->translationDomain), new Type\FormTypeCsrfExtension($this->tokenGenerator, true, '_token', $this->translator, $this->translationDomain),
); );
} }
} }

37
src/Symfony/Component/Form/Extension/Csrf/CsrfProvider/CsrfProviderInterface.php
View File

@ -11,39 +11,16 @@
namespace Symfony\Component\Form\Extension\Csrf\CsrfProvider; namespace Symfony\Component\Form\Extension\Csrf\CsrfProvider;
use Symfony\Component\Security\Csrf\CsrfTokenGeneratorInterface;
/** /**
* Marks classes able to provide CSRF protection * Alias interface of {@link CsrfTokenGeneratorInterface}.
*
* You can generate a CSRF token by using the method generateCsrfToken(). To
* this method you should pass a value that is unique to the page that should
* be secured against CSRF attacks. This value doesn't necessarily have to be
* secret. Implementations of this interface are responsible for adding more
* secret information.
*
* If you want to secure a form submission against CSRF attacks, you could
* supply an "intention" string. This way you make sure that the form can only
* be submitted to pages that are designed to handle the form, that is, that use
* the same intention string to validate the CSRF token with isCsrfTokenValid().
* *
* @author Bernhard Schussek <bschussek@gmail.com> * @author Bernhard Schussek <bschussek@gmail.com>
*
* @deprecated Deprecated since version 2.4, to be removed in Symfony 3.0. Use
* {@link CsrfTokenGeneratorInterface} instead.
*/ */
interface CsrfProviderInterface interface CsrfProviderInterface extends CsrfTokenGeneratorInterface
{ {
/**
* Generates a CSRF token for a page of your application.
*
* @param string $intention Some value that identifies the action intention
* (i.e. "authenticate"). Doesn't have to be a secret value.
*/
public function generateCsrfToken($intention);
/**
* Validates a CSRF token.
*
* @param string $intention The intention used when generating the CSRF token
* @param string $token The token supplied by the browser
*
* @return Boolean Whether the token supplied by the browser is correct
*/
public function isCsrfTokenValid($intention, $token);
} }

26
src/Symfony/Component/Form/Extension/Csrf/CsrfProvider/CsrfTokenGeneratorAdapter.php Normal file
View File

@ -0,0 +1,26 @@
<?php
/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Symfony\Component\Form\Extension\Csrf\CsrfProvider;
use Symfony\Component\Security\Csrf\CsrfTokenGenerator;
/**
* Adapter for using the new token generator with the old interface.
*
* @since 2.4
* @author Bernhard Schussek <bschussek@gmail.com>
*
* @deprecated Deprecated since version 2.4, to be removed in Symfony 3.0.
*/
class CsrfTokenGeneratorAdapter extends CsrfTokenGenerator implements CsrfProviderInterface
{
}

5
src/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php
View File

@ -18,6 +18,11 @@ namespace Symfony\Component\Form\Extension\Csrf\CsrfProvider;
* user-defined secret value to secure the CSRF token. * user-defined secret value to secure the CSRF token.
* *
* @author Bernhard Schussek <bschussek@gmail.com> * @author Bernhard Schussek <bschussek@gmail.com>
*
* @deprecated Deprecated since version 2.4, to be removed in Symfony 3.0. Use
* {@link \Symfony\Component\Security\Csrf\CsrfTokenGenerator} in
* combination with {@link \Symfony\Component\Security\Csrf\TokenStorage\NativeSessionTokenStorage}
* instead.
*/ */
class DefaultCsrfProvider implements CsrfProviderInterface class DefaultCsrfProvider implements CsrfProviderInterface
{ {

5
src/Symfony/Component/Form/Extension/Csrf/CsrfProvider/SessionCsrfProvider.php
View File

@ -20,6 +20,11 @@ use Symfony\Component\HttpFoundation\Session\Session;
* @see DefaultCsrfProvider * @see DefaultCsrfProvider
* *
* @author Bernhard Schussek <bschussek@gmail.com> * @author Bernhard Schussek <bschussek@gmail.com>
*
* @deprecated Deprecated since version 2.4, to be removed in Symfony 3.0. Use
* {@link \Symfony\Component\Security\Csrf\CsrfTokenGenerator} in
* combination with {@link \Symfony\Component\Security\Csrf\TokenStorage\SessionTokenStorage}
* instead.
*/ */
class SessionCsrfProvider extends DefaultCsrfProvider class SessionCsrfProvider extends DefaultCsrfProvider
{ {

22
src/Symfony/Component/Form/Extension/Csrf/EventListener/CsrfValidationListener.php
View File

@ -15,7 +15,7 @@ use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\Form\FormEvents; use Symfony\Component\Form\FormEvents;
use Symfony\Component\Form\FormError; use Symfony\Component\Form\FormError;
use Symfony\Component\Form\FormEvent; use Symfony\Component\Form\FormEvent;
use Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface; use Symfony\Component\Security\Csrf\CsrfTokenGeneratorInterface;
use Symfony\Component\Translation\TranslatorInterface; use Symfony\Component\Translation\TranslatorInterface;
/** /**
@ -30,20 +30,20 @@ class CsrfValidationListener implements EventSubscriberInterface
private $fieldName; private $fieldName;
/** /**
* The provider for generating and validating CSRF tokens * The generator for CSRF tokens
* @var CsrfProviderInterface * @var CsrfTokenGeneratorInterface
*/ */
private $csrfProvider; private $tokenGenerator;
/** /**
* A text mentioning the intention of the CSRF token * A text mentioning the tokenId of the CSRF token
* *
* Validation of the token will only succeed if it was generated in the * Validation of the token will only succeed if it was generated in the
* same session and with the same intention. * same session and with the same tokenId.
* *
* @var string * @var string
*/ */
private $intention; private $tokenId;
/** /**
* The message displayed in case of an error. * The message displayed in case of an error.
@ -68,11 +68,11 @@ class CsrfValidationListener implements EventSubscriberInterface
); );
} }
public function __construct($fieldName, CsrfProviderInterface $csrfProvider, $intention, $errorMessage, TranslatorInterface $translator = null, $translationDomain = null) public function __construct($fieldName, CsrfTokenGeneratorInterface $tokenGenerator, $tokenId, $errorMessage, TranslatorInterface $translator = null, $translationDomain = null)
{ {
$this->fieldName = $fieldName; $this->fieldName = $fieldName;
$this->csrfProvider = $csrfProvider; $this->tokenGenerator = $tokenGenerator;
$this->intention = $intention; $this->tokenId = $tokenId;
$this->errorMessage = $errorMessage; $this->errorMessage = $errorMessage;
$this->translator = $translator; $this->translator = $translator;
$this->translationDomain = $translationDomain; $this->translationDomain = $translationDomain;
@ -84,7 +84,7 @@ class CsrfValidationListener implements EventSubscriberInterface
$data = $event->getData(); $data = $event->getData();
if ($form->isRoot() && $form->getConfig()->getOption('compound')) { if ($form->isRoot() && $form->getConfig()->getOption('compound')) {
if (!isset($data[$this->fieldName]) || !$this->csrfProvider->isCsrfTokenValid($this->intention, $data[$this->fieldName])) { if (!isset($data[$this->fieldName]) || !$this->tokenGenerator->isCsrfTokenValid($this->tokenId, $data[$this->fieldName])) {
$errorMessage = $this->errorMessage; $errorMessage = $this->errorMessage;
if (null !== $this->translator) { if (null !== $this->translator) {

39
src/Symfony/Component/Form/Extension/Csrf/Type/FormTypeCsrfExtension.php
View File

@ -12,12 +12,13 @@
namespace Symfony\Component\Form\Extension\Csrf\Type; namespace Symfony\Component\Form\Extension\Csrf\Type;
use Symfony\Component\Form\AbstractTypeExtension; use Symfony\Component\Form\AbstractTypeExtension;
use Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface;
use Symfony\Component\Form\Extension\Csrf\EventListener\CsrfValidationListener; use Symfony\Component\Form\Extension\Csrf\EventListener\CsrfValidationListener;
use Symfony\Component\Form\FormBuilderInterface; use Symfony\Component\Form\FormBuilderInterface;
use Symfony\Component\Form\FormView; use Symfony\Component\Form\FormView;
use Symfony\Component\Form\FormInterface; use Symfony\Component\Form\FormInterface;
use Symfony\Component\OptionsResolver\Options;
use Symfony\Component\OptionsResolver\OptionsResolverInterface; use Symfony\Component\OptionsResolver\OptionsResolverInterface;
use Symfony\Component\Security\Csrf\CsrfTokenGeneratorInterface;
use Symfony\Component\Translation\TranslatorInterface; use Symfony\Component\Translation\TranslatorInterface;
/** /**
@ -26,9 +27,9 @@ use Symfony\Component\Translation\TranslatorInterface;
class FormTypeCsrfExtension extends AbstractTypeExtension class FormTypeCsrfExtension extends AbstractTypeExtension
{ {
/** /**
* @var CsrfProviderInterface * @var CsrfTokenGeneratorInterface
*/ */
private $defaultCsrfProvider; private $defaultTokenGenerator;
/** /**
* @var Boolean * @var Boolean
@ -50,9 +51,9 @@ class FormTypeCsrfExtension extends AbstractTypeExtension
*/ */
private $translationDomain; private $translationDomain;
public function __construct(CsrfProviderInterface $defaultCsrfProvider, $defaultEnabled = true, $defaultFieldName = '_token', TranslatorInterface $translator = null, $translationDomain = null) public function __construct(CsrfTokenGeneratorInterface $defaultTokenGenerator, $defaultEnabled = true, $defaultFieldName = '_token', TranslatorInterface $translator = null, $translationDomain = null)
{ {
$this->defaultCsrfProvider = $defaultCsrfProvider; $this->defaultTokenGenerator = $defaultTokenGenerator;
$this->defaultEnabled = $defaultEnabled; $this->defaultEnabled = $defaultEnabled;
$this->defaultFieldName = $defaultFieldName; $this->defaultFieldName = $defaultFieldName;
$this->translator = $translator; $this->translator = $translator;
@ -74,8 +75,8 @@ class FormTypeCsrfExtension extends AbstractTypeExtension
$builder $builder
->addEventSubscriber(new CsrfValidationListener( ->addEventSubscriber(new CsrfValidationListener(
$options['csrf_field_name'], $options['csrf_field_name'],
$options['csrf_provider'], $options['csrf_token_generator'],
$options['intention'], $options['csrf_token_id'],
$options['csrf_message'], $options['csrf_message'],
$this->translator, $this->translator,
$this->translationDomain $this->translationDomain
@ -94,7 +95,7 @@ class FormTypeCsrfExtension extends AbstractTypeExtension
{ {
if ($options['csrf_protection'] && !$view->parent && $options['compound']) { if ($options['csrf_protection'] && !$view->parent && $options['compound']) {
$factory = $form->getConfig()->getFormFactory(); $factory = $form->getConfig()->getFormFactory();
$data = $options['csrf_provider']->generateCsrfToken($options['intention']); $data = $options['csrf_token_generator']->generateCsrfToken($options['csrf_token_id']);
$csrfForm = $factory->createNamed($options['csrf_field_name'], 'hidden', $data, array( $csrfForm = $factory->createNamed($options['csrf_field_name'], 'hidden', $data, array(
'mapped' => false, 'mapped' => false,
@ -109,12 +110,24 @@ class FormTypeCsrfExtension extends AbstractTypeExtension
*/ */
public function setDefaultOptions(OptionsResolverInterface $resolver) public function setDefaultOptions(OptionsResolverInterface $resolver)
{ {
// BC clause for the "intention" option
$csrfTokenId = function (Options $options) {
return $options['intention'];
};
// BC clause for the "csrf_provider" option
$csrfTokenGenerator = function (Options $options) {
return $options['csrf_provider'];
};
$resolver->setDefaults(array( $resolver->setDefaults(array(
'csrf_protection' => $this->defaultEnabled, 'csrf_protection' => $this->defaultEnabled,
'csrf_field_name' => $this->defaultFieldName, 'csrf_field_name' => $this->defaultFieldName,
'csrf_provider' => $this->defaultCsrfProvider, 'csrf_message' => 'The CSRF token is invalid. Please try to resubmit the form.',
'csrf_message' => 'The CSRF token is invalid. Please try to resubmit the form.', 'csrf_token_generator' => $csrfTokenGenerator,
'intention' => 'unknown', 'csrf_token_id' => $csrfTokenId,
'csrf_provider' => $this->defaultTokenGenerator,
'intention' => 'unknown',
)); ));
} }

6
src/Symfony/Component/Form/Extension/Templating/TemplatingExtension.php
View File

@ -13,7 +13,7 @@ namespace Symfony\Component\Form\Extension\Templating;
use Symfony\Component\Form\AbstractExtension; use Symfony\Component\Form\AbstractExtension;
use Symfony\Component\Form\FormRenderer; use Symfony\Component\Form\FormRenderer;
use Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface; use Symfony\Component\Security\Csrf\CsrfTokenGeneratorInterface;
use Symfony\Component\Templating\PhpEngine; use Symfony\Component\Templating\PhpEngine;
use Symfony\Bundle\FrameworkBundle\Templating\Helper\FormHelper; use Symfony\Bundle\FrameworkBundle\Templating\Helper\FormHelper;
@ -24,10 +24,10 @@ use Symfony\Bundle\FrameworkBundle\Templating\Helper\FormHelper;
*/ */
class TemplatingExtension extends AbstractExtension class TemplatingExtension extends AbstractExtension
{ {
public function __construct(PhpEngine $engine, CsrfProviderInterface $csrfProvider = null, array $defaultThemes = array()) public function __construct(PhpEngine $engine, CsrfTokenGeneratorInterface $csrfTokenGenerator = null, array $defaultThemes = array())
{ {
$engine->addHelpers(array( $engine->addHelpers(array(
new FormHelper(new FormRenderer(new TemplatingRendererEngine($engine, $defaultThemes), $csrfProvider)) new FormHelper(new FormRenderer(new TemplatingRendererEngine($engine, $defaultThemes), $csrfTokenGenerator))
)); ));
} }
} }

18
src/Symfony/Component/Form/FormRenderer.php
View File

@ -13,7 +13,7 @@ namespace Symfony\Component\Form;
use Symfony\Component\Form\Exception\LogicException; use Symfony\Component\Form\Exception\LogicException;
use Symfony\Component\Form\Exception\BadMethodCallException; use Symfony\Component\Form\Exception\BadMethodCallException;
use Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface; use Symfony\Component\Security\Csrf\CsrfTokenGeneratorInterface;
/** /**
* Renders a form into HTML using a rendering engine. * Renders a form into HTML using a rendering engine.
@ -30,9 +30,9 @@ class FormRenderer implements FormRendererInterface
private $engine; private $engine;
/** /**
* @var CsrfProviderInterface * @var CsrfTokenGeneratorInterface
*/ */
private $csrfProvider; private $csrfTokenGenerator;
/** /**
* @var array * @var array
@ -49,10 +49,10 @@ class FormRenderer implements FormRendererInterface
*/ */
private $variableStack = array(); private $variableStack = array();
public function __construct(FormRendererEngineInterface $engine, CsrfProviderInterface $csrfProvider = null) public function __construct(FormRendererEngineInterface $engine, CsrfTokenGeneratorInterface $csrfTokenGenerator = null)
{ {
$this->engine = $engine; $this->engine = $engine;
$this->csrfProvider = $csrfProvider; $this->csrfTokenGenerator = $csrfTokenGenerator;
} }
/** /**
@ -74,13 +74,13 @@ class FormRenderer implements FormRendererInterface
/** /**
* {@inheritdoc} * {@inheritdoc}
*/ */
public function renderCsrfToken($intention) public function renderCsrfToken($tokenId)
{ {
if (null === $this->csrfProvider) { if (null === $this->csrfTokenGenerator) {
throw new BadMethodCallException('CSRF token can only be generated if a CsrfProviderInterface is injected in the constructor.'); throw new BadMethodCallException('CSRF tokens can only be generated if a CsrfTokenGeneratorInterface is injected in FormRenderer::__construct().');
} }
return $this->csrfProvider->generateCsrfToken($intention); return $this->csrfTokenGenerator->generateCsrfToken($tokenId);
} }
/** /**

8
src/Symfony/Component/Form/FormRendererInterface.php
View File

@ -73,20 +73,20 @@ interface FormRendererInterface
* <input type="hidden" name="token" value="<?php $renderer->renderCsrfToken('rm_user_'.$user->getId()) ?>"> * <input type="hidden" name="token" value="<?php $renderer->renderCsrfToken('rm_user_'.$user->getId()) ?>">
* </code> * </code>
* *
* Check the token in your action using the same intention. * Check the token in your action using the same token ID.
* *
* <code> * <code>
* $csrfProvider = $this->get('form.csrf_provider'); * $csrfProvider = $this->get('security.csrf.token_generator');
* if (!$csrfProvider->isCsrfTokenValid('rm_user_'.$user->getId(), $token)) { * if (!$csrfProvider->isCsrfTokenValid('rm_user_'.$user->getId(), $token)) {
* throw new \RuntimeException('CSRF attack detected.'); * throw new \RuntimeException('CSRF attack detected.');
* } * }
* </code> * </code>
* *
* @param string $intention The intention of the protected action * @param string $tokenId The ID of the CSRF token
* *
* @return string A CSRF token * @return string A CSRF token
*/ */
public function renderCsrfToken($intention); public function renderCsrfToken($tokenId);
/** /**
* Makes a technical name human readable. * Makes a technical name human readable.

2
src/Symfony/Component/Form/Tests/AbstractDivLayoutTest.php
View File

@ -471,7 +471,7 @@ abstract class AbstractDivLayoutTest extends AbstractLayoutTest
public function testCsrf() public function testCsrf()
{ {
$this->csrfProvider->expects($this->any()) $this->csrfTokenGenerator->expects($this->any())
->method('generateCsrfToken') ->method('generateCsrfToken')
->will($this->returnValue('foo&bar')); ->will($this->returnValue('foo&bar'));

8
src/Symfony/Component/Form/Tests/AbstractLayoutTest.php
View File

@ -17,7 +17,7 @@ use Symfony\Component\Form\Extension\Csrf\CsrfExtension;
abstract class AbstractLayoutTest extends \Symfony\Component\Form\Test\FormIntegrationTestCase abstract class AbstractLayoutTest extends \Symfony\Component\Form\Test\FormIntegrationTestCase
{ {
protected $csrfProvider; protected $csrfTokenGenerator;
protected function setUp() protected function setUp()
{ {
@ -27,7 +27,7 @@ abstract class AbstractLayoutTest extends \Symfony\Component\Form\Test\FormInteg
\Locale::setDefault('en'); \Locale::setDefault('en');
$this->csrfProvider = $this->getMock('Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface'); $this->csrfTokenGenerator = $this->getMock('Symfony\Component\Security\Csrf\CsrfTokenGeneratorInterface');
parent::setUp(); parent::setUp();
} }
@ -35,13 +35,13 @@ abstract class AbstractLayoutTest extends \Symfony\Component\Form\Test\FormInteg
protected function getExtensions() protected function getExtensions()
{ {
return array( return array(
new CsrfExtension($this->csrfProvider), new CsrfExtension($this->csrfTokenGenerator),
); );
} }
protected function tearDown() protected function tearDown()
{ {
$this->csrfProvider = null; $this->csrfTokenGenerator = null;
parent::tearDown(); parent::tearDown();
} }

2
src/Symfony/Component/Form/Tests/AbstractTableLayoutTest.php
View File

@ -336,7 +336,7 @@ abstract class AbstractTableLayoutTest extends AbstractLayoutTest
public function testCsrf() public function testCsrf()
{ {
$this->csrfProvider->expects($this->any()) $this->csrfTokenGenerator->expects($this->any())
->method('generateCsrfToken') ->method('generateCsrfToken')
->will($this->returnValue('foo&bar')); ->will($this->returnValue('foo&bar'));

9
src/Symfony/Component/Form/Tests/Extension/Csrf/EventListener/CsrfValidationListenerTest.php
View File

@ -19,13 +19,14 @@ class CsrfValidationListenerTest extends \PHPUnit_Framework_TestCase
{ {
protected $dispatcher; protected $dispatcher;
protected $factory; protected $factory;
protected $csrfProvider; protected $tokenGenerator;
protected $form;
protected function setUp() protected function setUp()
{ {
$this->dispatcher = $this->getMock('Symfony\Component\EventDispatcher\EventDispatcherInterface'); $this->dispatcher = $this->getMock('Symfony\Component\EventDispatcher\EventDispatcherInterface');
$this->factory = $this->getMock('Symfony\Component\Form\FormFactoryInterface'); $this->factory = $this->getMock('Symfony\Component\Form\FormFactoryInterface');
$this->csrfProvider = $this->getMock('Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface'); $this->tokenGenerator = $this->getMock('Symfony\Component\Security\Csrf\CsrfTokenGeneratorInterface');
$this->form = $this->getBuilder('post') $this->form = $this->getBuilder('post')
->setDataMapper($this->getDataMapper()) ->setDataMapper($this->getDataMapper())
->getForm(); ->getForm();
@ -35,7 +36,7 @@ class CsrfValidationListenerTest extends \PHPUnit_Framework_TestCase
{ {
$this->dispatcher = null; $this->dispatcher = null;
$this->factory = null; $this->factory = null;
$this->csrfProvider = null; $this->tokenGenerator = null;
$this->form = null; $this->form = null;
} }
@ -65,7 +66,7 @@ class CsrfValidationListenerTest extends \PHPUnit_Framework_TestCase
$data = "XP4HUzmHPi"; $data = "XP4HUzmHPi";
$event = new FormEvent($this->form, $data); $event = new FormEvent($this->form, $data);
$validation = new CsrfValidationListener('csrf', $this->csrfProvider, 'unknown', 'Invalid.'); $validation = new CsrfValidationListener('csrf', $this->tokenGenerator, 'unknown', 'Invalid.');
$validation->preSubmit($event); $validation->preSubmit($event);
// Validate accordingly // Validate accordingly

32
src/Symfony/Component/Form/Tests/Extension/Csrf/Type/FormTypeCsrfExtensionTest.php
View File

@ -37,7 +37,7 @@ class FormTypeCsrfExtensionTest extends TypeTestCase
/** /**
* @var \PHPUnit_Framework_MockObject_MockObject * @var \PHPUnit_Framework_MockObject_MockObject
*/ */
protected $csrfProvider; protected $tokenGenerator;
/** /**
* @var \PHPUnit_Framework_MockObject_MockObject * @var \PHPUnit_Framework_MockObject_MockObject
@ -46,7 +46,7 @@ class FormTypeCsrfExtensionTest extends TypeTestCase
protected function setUp() protected function setUp()
{ {
$this->csrfProvider = $this->getMock('Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface'); $this->tokenGenerator = $this->getMock('Symfony\Component\Security\Csrf\CsrfTokenGeneratorInterface');
$this->translator = $this->getMock('Symfony\Component\Translation\TranslatorInterface'); $this->translator = $this->getMock('Symfony\Component\Translation\TranslatorInterface');
parent::setUp(); parent::setUp();
@ -54,7 +54,7 @@ class FormTypeCsrfExtensionTest extends TypeTestCase
protected function tearDown() protected function tearDown()
{ {
$this->csrfProvider = null; $this->tokenGenerator = null;
$this->translator = null; $this->translator = null;
parent::tearDown(); parent::tearDown();
@ -63,7 +63,7 @@ class FormTypeCsrfExtensionTest extends TypeTestCase
protected function getExtensions() protected function getExtensions()
{ {
return array_merge(parent::getExtensions(), array( return array_merge(parent::getExtensions(), array(
new CsrfExtension($this->csrfProvider, $this->translator), new CsrfExtension($this->tokenGenerator, $this->translator),
)); ));
} }
@ -123,7 +123,7 @@ class FormTypeCsrfExtensionTest extends TypeTestCase
public function testGenerateCsrfToken() public function testGenerateCsrfToken()
{ {
$this->csrfProvider->expects($this->once()) $this->tokenGenerator->expects($this->once())
->method('generateCsrfToken') ->method('generateCsrfToken')
->with('%INTENTION%') ->with('%INTENTION%')
->will($this->returnValue('token')); ->will($this->returnValue('token'));
@ -131,7 +131,7 @@ class FormTypeCsrfExtensionTest extends TypeTestCase
$view = $this->factory $view = $this->factory
->create('form', null, array( ->create('form', null, array(
'csrf_field_name' => 'csrf', 'csrf_field_name' => 'csrf',
'csrf_provider' => $this->csrfProvider, 'csrf_provider' => $this->tokenGenerator,
'intention' => '%INTENTION%', 'intention' => '%INTENTION%',
'compound' => true, 'compound' => true,
)) ))
@ -153,7 +153,7 @@ class FormTypeCsrfExtensionTest extends TypeTestCase
*/ */
public function testValidateTokenOnSubmitIfRootAndCompound($valid) public function testValidateTokenOnSubmitIfRootAndCompound($valid)
{ {
$this->csrfProvider->expects($this->once()) $this->tokenGenerator->expects($this->once())
->method('isCsrfTokenValid') ->method('isCsrfTokenValid')
->with('%INTENTION%', 'token') ->with('%INTENTION%', 'token')
->will($this->returnValue($valid)); ->will($this->returnValue($valid));
@ -161,7 +161,7 @@ class FormTypeCsrfExtensionTest extends TypeTestCase
$form = $this->factory $form = $this->factory
->createBuilder('form', null, array( ->createBuilder('form', null, array(
'csrf_field_name' => 'csrf', 'csrf_field_name' => 'csrf',
'csrf_provider' => $this->csrfProvider, 'csrf_provider' => $this->tokenGenerator,
'intention' => '%INTENTION%', 'intention' => '%INTENTION%',
'compound' => true, 'compound' => true,
)) ))
@ -182,13 +182,13 @@ class FormTypeCsrfExtensionTest extends TypeTestCase
public function testFailIfRootAndCompoundAndTokenMissing() public function testFailIfRootAndCompoundAndTokenMissing()
{ {
$this->csrfProvider->expects($this->never()) $this->tokenGenerator->expects($this->never())
->method('isCsrfTokenValid'); ->method('isCsrfTokenValid');
$form = $this->factory $form = $this->factory
->createBuilder('form', null, array( ->createBuilder('form', null, array(
'csrf_field_name' => 'csrf', 'csrf_field_name' => 'csrf',
'csrf_provider' => $this->csrfProvider, 'csrf_provider' => $this->tokenGenerator,
'intention' => '%INTENTION%', 'intention' => '%INTENTION%',
'compound' => true, 'compound' => true,
)) ))
@ -209,7 +209,7 @@ class FormTypeCsrfExtensionTest extends TypeTestCase
public function testDontValidateTokenIfCompoundButNoRoot() public function testDontValidateTokenIfCompoundButNoRoot()
{ {
$this->csrfProvider->expects($this->never()) $this->tokenGenerator->expects($this->never())
->method('isCsrfTokenValid'); ->method('isCsrfTokenValid');
$form = $this->factory $form = $this->factory
@ -217,7 +217,7 @@ class FormTypeCsrfExtensionTest extends TypeTestCase
->add($this->factory ->add($this->factory
->createNamedBuilder('form', 'form', null, array( ->createNamedBuilder('form', 'form', null, array(
'csrf_field_name' => 'csrf', 'csrf_field_name' => 'csrf',
'csrf_provider' => $this->csrfProvider, 'csrf_provider' => $this->tokenGenerator,
'intention' => '%INTENTION%', 'intention' => '%INTENTION%',
'compound' => true, 'compound' => true,
)) ))
@ -233,13 +233,13 @@ class FormTypeCsrfExtensionTest extends TypeTestCase
public function testDontValidateTokenIfRootButNotCompound() public function testDontValidateTokenIfRootButNotCompound()
{ {
$this->csrfProvider->expects($this->never()) $this->tokenGenerator->expects($this->never())
->method('isCsrfTokenValid'); ->method('isCsrfTokenValid');
$form = $this->factory $form = $this->factory
->create('form', null, array( ->create('form', null, array(
'csrf_field_name' => 'csrf', 'csrf_field_name' => 'csrf',
'csrf_provider' => $this->csrfProvider, 'csrf_provider' => $this->tokenGenerator,
'intention' => '%INTENTION%', 'intention' => '%INTENTION%',
'compound' => false, 'compound' => false,
)); ));
@ -269,7 +269,7 @@ class FormTypeCsrfExtensionTest extends TypeTestCase
public function testsTranslateCustomErrorMessage() public function testsTranslateCustomErrorMessage()
{ {
$this->csrfProvider->expects($this->once()) $this->tokenGenerator->expects($this->once())
->method('isCsrfTokenValid') ->method('isCsrfTokenValid')
->with('%INTENTION%', 'token') ->with('%INTENTION%', 'token')
->will($this->returnValue(false)); ->will($this->returnValue(false));
@ -282,7 +282,7 @@ class FormTypeCsrfExtensionTest extends TypeTestCase
$form = $this->factory $form = $this->factory
->createBuilder('form', null, array( ->createBuilder('form', null, array(
'csrf_field_name' => 'csrf', 'csrf_field_name' => 'csrf',
'csrf_provider' => $this->csrfProvider, 'csrf_provider' => $this->tokenGenerator,
'csrf_message' => 'Foobar', 'csrf_message' => 'Foobar',
'intention' => '%INTENTION%', 'intention' => '%INTENTION%',
'compound' => true, 'compound' => true,

4
src/Symfony/Component/Form/composer.json
View File

@ -27,8 +27,8 @@
"symfony/http-foundation": "~2.2" "symfony/http-foundation": "~2.2"
}, },
"suggest": { "suggest": {
"symfony/validator": "", "symfony/validator": "For form validation.",
"symfony/http-foundation": "" "symfony/security-csrf": "For protecting forms against CSRF attacks."
}, },
"autoload": { "autoload": {
"psr-0": { "Symfony\\Component\\Form\\": "" } "psr-0": { "Symfony\\Component\\Form\\": "" }