diogo/symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[Form] CsrfValidationListener marks the token as invalid if it is not a string

Browse Source
This commit is contained in:
Saša Stamenković 2019-01-14 17:30:34 +01:00 committed by Nicolas Grekas
parent afb7bb5dde
commit deb8e95091
2 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/Symfony/Component/Form/Extension/Csrf/EventListener/CsrfValidationListener.php
View File

@ -59,7 +59,7 @@ class CsrfValidationListener implements EventSubscriberInterface
if ($form->isRoot() && $form->getConfig()->getOption('compound') && !$postRequestSizeExceeded) {
$data = $event->getData();
if (!isset($data[$this->fieldName]) || !$this->tokenManager->isTokenValid(new CsrfToken($this->tokenId, $data[$this->fieldName]))) {
if (!isset($data[$this->fieldName]) || !\is_string($data[$this->fieldName]) || !$this->tokenManager->isTokenValid(new CsrfToken($this->tokenId, $data[$this->fieldName]))) {
$errorMessage = $this->errorMessage;
if (null !== $this->translator) {

10
src/Symfony/Component/Form/Tests/Extension/Csrf/EventListener/CsrfValidationListenerTest.php
View File

@ -64,6 +64,16 @@ class CsrfValidationListenerTest extends TestCase
$this->assertSame($data, $event->getData());
}
public function testArrayCsrfToken()
{
$event = new FormEvent($this->form, ['csrf' => []]);
$validation = new CsrfValidationListener('csrf', $this->tokenManager, 'unknown', 'Invalid.');
$validation->preSubmit($event);
$this->assertNotEmpty($this->form->getErrors());
}
public function testMaxPostSizeExceeded()
{
$serverParams = $this