minor #12168 [HttpFoundation] CSRF warning docs on Request::enableHttpMethodParameterOverride() (Kristof Van Cauwenbergh)

This PR was merged into the 2.3 branch. Discussion ---------- [HttpFoundation] CSRF warning docs on Request::enableHttpMethodParameterOverride() | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #12043 | License | MIT | Doc PR | / Since I wanted to understand this issue I did some research and altered the comment block. Is this a clear enough explanation or does it need more? Commits ------- deb70ab CSRF warning docs on Request::enableHttpMethodParameterOverride()
2014-11-02 02:30:13 +01:00 · 2014-11-02 02:30:13 +01:00 · 8d2c2964bb
parent b7f8f4eab7 deb70aba15
commit 8d2c2964bb
1 changed files with 3 additions and 0 deletions
--- a/src/Symfony/Component/HttpFoundation/Request.php
+++ b/src/Symfony/Component/HttpFoundation/Request.php
@ -648,6 +648,9 @@ class Request
     *
     * Be warned that enabling this feature might lead to CSRF issues in your code.
     * Check that you are using CSRF tokens when required.
+     * If the HTTP method parameter override is enabled, an html-form with method "POST" can be altered
+     * and used to send a "PUT" or "DELETE" request via the _method request parameter.
+     * If these methods are not protected against CSRF, this presents a possible vulnerability.
     *
     * The HTTP method can only be overridden when the real HTTP method is POST.
     */