CSRF warning docs on Request::enableHttpMethodParameterOverride()
[HttpFoundation] fixed the docs so that it gives some explanation about how you are vulnerable to CSRF when you enable the httpMethodeParameterOverride
This commit is contained in:
parent
6df49bb9e1
commit
deb70aba15
@ -648,6 +648,9 @@ class Request
|
|||||||
*
|
*
|
||||||
* Be warned that enabling this feature might lead to CSRF issues in your code.
|
* Be warned that enabling this feature might lead to CSRF issues in your code.
|
||||||
* Check that you are using CSRF tokens when required.
|
* Check that you are using CSRF tokens when required.
|
||||||
|
* If the HTTP method parameter override is enabled, an html-form with method "POST" can be altered
|
||||||
|
* and used to send a "PUT" or "DELETE" request via the _method request parameter.
|
||||||
|
* If these methods are not protected against CSRF, this presents a possible vulnerability.
|
||||||
*
|
*
|
||||||
* The HTTP method can only be overridden when the real HTTP method is POST.
|
* The HTTP method can only be overridden when the real HTTP method is POST.
|
||||||
*/
|
*/
|
||||||
|
Reference in New Issue
Block a user