diogo
/
symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[Form] Fixed: CSRF protection did not run if token was missing

This commit is contained in:
Bernhard Schussek 2012-04-20 18:51:15 +02:00
parent eb75ab1b74
commit c623fcf4d4
2 changed files with 28 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/Symfony/Component/Form/Extension/Csrf/EventListener/CsrfValidationListener.php
View File

@ -63,8 +63,8 @@ class CsrfValidationListener implements EventSubscriberInterface
$form = $event->getForm();
$data = $event->getData();
if ($form->isRoot() && $form->hasChildren() && isset($data[$this->fieldName])) {
if (!$this->csrfProvider->isCsrfTokenValid($this->intention, $data[$this->fieldName])) {
if ($form->isRoot() && $form->hasChildren()) {
if (!isset($data[$this->fieldName]) || !$this->csrfProvider->isCsrfTokenValid($this->intention, $data[$this->fieldName])) {
$form->addError(new FormError('The CSRF token is invalid. Please try to resubmit the form'));
}

26
src/Symfony/Component/Form/Tests/Extension/Csrf/Type/FormTypeCsrfExtensionTest.php
View File

@ -171,6 +171,32 @@ class FormTypeCsrfExtensionTest extends TypeTestCase
$this->assertSame($valid, $form->isValid());
}
public function testFailIfRootAndChildrenAndTokenMissing()
{
$this->csrfProvider->expects($this->never())
->method('isCsrfTokenValid');
$form = $this->factory
->createBuilder('form', null, array(
'csrf_field_name' => 'csrf',
'csrf_provider' => $this->csrfProvider,
'intention' => '%INTENTION%'
))
->add($this->factory->createNamedBuilder('form', 'child'))
->getForm();
$form->bind(array(
'child' => 'foobar',
// token is missing
));
// Remove token from data
$this->assertSame(array('child' => 'foobar'), $form->getData());
// Validate accordingly
$this->assertFalse($form->isValid());
}
public function testDontValidateTokenIfChildrenButNoRoot()
{
$this->csrfProvider->expects($this->never())