bug #46960 [FrameworkBundle] Fail gracefully when forms use disabled CSRF (HeahDude)

fabpot · fabpot · commit ff1dbc182bb7 · 2022-07-19T13:40:09.000+02:00
This PR was merged into the 4.4 branch. Discussion ---------- [FrameworkBundle] Fail gracefully when forms use disabled CSRF | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | kind of | New feature? | no | Deprecations? | no | Tickets | ~ | License | MIT | Doc PR | ~ Relates to symfony/symfony-docs#16973. Currently with the following config in Symfony demo: ```yaml # config/packages/framework.yaml framework: csrf_protection: false form: csrf_protection: true ``` we get: >The service "form.type_extension.csrf" has a dependency on a non-existent service "security.csrf.token_manager". We should consider this PR as a bug fix to make this exception actionable. Commits ------- 5990182698 [FrameworkBundle] Fail gracefully when forms use disabled CSRF
diff --git a/DependencyInjection/FrameworkExtension.php b/DependencyInjection/FrameworkExtension.php
@@ -496,6 +496,10 @@ private function registerFormConfiguration(array $config, ContainerBuilder $cont
         }
 
         if ($this->isConfigEnabled($container, $config['form']['csrf_protection'])) {
+            if (!$container->hasDefinition('security.csrf.token_generator')) {
+                throw new \LogicException('To use form CSRF protection `framework.csrf_protection` must be enabled.');
+            }
+
             $loader->load('form_csrf.xml');
 
             $container->setParameter('form.type_extension.csrf.enabled', true);
diff --git a/Tests/DependencyInjection/Fixtures/php/form_csrf_disabled.php b/Tests/DependencyInjection/Fixtures/php/form_csrf_disabled.php
@@ -0,0 +1,8 @@
+<?php
+
+$container->loadFromExtension('framework', [
+    'csrf_protection' => false,
+    'form' => [
+        'csrf_protection' => true,
+    ],
+]);
diff --git a/Tests/DependencyInjection/Fixtures/xml/form_csrf_disabled.xml b/Tests/DependencyInjection/Fixtures/xml/form_csrf_disabled.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" ?>
+
+<container xmlns="http://symfony.com/schema/dic/services"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:framework="http://symfony.com/schema/dic/symfony"
+    xsi:schemaLocation="http://symfony.com/schema/dic/services
+            https://symfony.com/schema/dic/services/services-1.0.xsd
+            http://symfony.com/schema/dic/symfony
+            https://symfony.com/schema/dic/symfony/symfony-1.0.xsd"
+>
+    <framework:config>
+        <framework:csrf-protection enabled="false"/>
+        <framework:form enabled="true">
+            <framework:csrf-protection enabled="true"/>
+        </framework:form>
+    </framework:config>
+</container>
diff --git a/Tests/DependencyInjection/Fixtures/yml/form_csrf_disabled.yml b/Tests/DependencyInjection/Fixtures/yml/form_csrf_disabled.yml
@@ -0,0 +1,4 @@
+framework:
+    csrf_protection: false
+    form:
+        csrf_protection: true
diff --git a/Tests/DependencyInjection/FrameworkExtensionTest.php b/Tests/DependencyInjection/FrameworkExtensionTest.php
@@ -84,6 +84,14 @@ public function testFormCsrfProtection()
         $this->assertEquals('%form.type_extension.csrf.field_name%', $def->getArgument(2));
     }
 
+    public function testFormCsrfProtectionWithCsrfDisabled()
+    {
+        $this->expectException(\LogicException::class);
+        $this->expectExceptionMessage('To use form CSRF protection `framework.csrf_protection` must be enabled.');
+
+        $this->createContainerFromFile('form_csrf_disabled');
+    }
+
     public function testPropertyAccessWithDefaultValue()
     {
         $container = $this->createContainerFromFile('full');

Original file line number	Diff line number	Diff line change
`@@ -496,6 +496,10 @@ private function registerFormConfiguration(array $config, ContainerBuilder $cont`
`496`	`496`	`}`
`497`	`497`
`498`	`498`	`if ($this->isConfigEnabled($container, $config['form']['csrf_protection'])) {`
	`499`	`+ if (!$container->hasDefinition('security.csrf.token_generator')) {`
	`500`	+ throw new \LogicException('To use form CSRF protection `framework.csrf_protection` must be enabled.');
	`501`	`+ }`
	`502`	`+`
`499`	`503`	`$loader->load('form_csrf.xml');`
`500`	`504`
`501`	`505`	`$container->setParameter('form.type_extension.csrf.enabled', true);`
Original file line number	Diff line number	Diff line change
`@@ -84,6 +84,14 @@ public function testFormCsrfProtection()`
`84`	`84`	`$this->assertEquals('%form.type_extension.csrf.field_name%', $def->getArgument(2));`
`85`	`85`	`}`
`86`	`86`
	`87`	`+ public function testFormCsrfProtectionWithCsrfDisabled()`
	`88`	`+ {`
	`89`	`+ $this->expectException(\LogicException::class);`
	`90`	+ $this->expectExceptionMessage('To use form CSRF protection `framework.csrf_protection` must be enabled.');
	`91`	`+`
	`92`	`+ $this->createContainerFromFile('form_csrf_disabled');`
	`93`	`+ }`
	`94`	`+`
`87`	`95`	`public function testPropertyAccessWithDefaultValue()`
`88`	`96`	`{`
`89`	`97`	`$container = $this->createContainerFromFile('full');`