minor #12168 [HttpFoundation] CSRF warning docs on Request::enableHttpMethodParameterOverride() (Kristof Van Cauwenbergh)
This PR was merged into the 2.3 branch.
Discussion
----------
[HttpFoundation] CSRF warning docs on Request::enableHttpMethodParameterOverride()
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #12043
| License | MIT
| Doc PR | /
Since I wanted to understand this issue I did some research and altered the comment block. Is this a clear enough explanation or does it need more?
Commits
-------
deb70ab
CSRF warning docs on Request::enableHttpMethodParameterOverride()
This commit is contained in:
commit
8d2c2964bb
@ -648,6 +648,9 @@ class Request
|
|||||||
*
|
*
|
||||||
* Be warned that enabling this feature might lead to CSRF issues in your code.
|
* Be warned that enabling this feature might lead to CSRF issues in your code.
|
||||||
* Check that you are using CSRF tokens when required.
|
* Check that you are using CSRF tokens when required.
|
||||||
|
* If the HTTP method parameter override is enabled, an html-form with method "POST" can be altered
|
||||||
|
* and used to send a "PUT" or "DELETE" request via the _method request parameter.
|
||||||
|
* If these methods are not protected against CSRF, this presents a possible vulnerability.
|
||||||
*
|
*
|
||||||
* The HTTP method can only be overridden when the real HTTP method is POST.
|
* The HTTP method can only be overridden when the real HTTP method is POST.
|
||||||
*/
|
*/
|
||||||
|
Reference in New Issue
Block a user