CSRF warning docs on Request::enableHttpMethodParameterOverride()
[HttpFoundation] fixed the docs so that it gives some explanation about how you are vulnerable to CSRF when you enable the httpMethodeParameterOverride
This commit is contained in:
parent
6df49bb9e1
commit
deb70aba15
@ -648,6 +648,9 @@ class Request
|
||||
*
|
||||
* Be warned that enabling this feature might lead to CSRF issues in your code.
|
||||
* Check that you are using CSRF tokens when required.
|
||||
* If the HTTP method parameter override is enabled, an html-form with method "POST" can be altered
|
||||
* and used to send a "PUT" or "DELETE" request via the _method request parameter.
|
||||
* If these methods are not protected against CSRF, this presents a possible vulnerability.
|
||||
*
|
||||
* The HTTP method can only be overridden when the real HTTP method is POST.
|
||||
*/
|
||||
|
Reference in New Issue
Block a user