Skip to content

Commit fab0d6d

Browse files
committed
[FrameworkBundle] Fail gracefully when forms use disabled CSRF
1 parent 92c7e6e commit fab0d6d

File tree

5 files changed

+42
-0
lines changed

5 files changed

+42
-0
lines changed

src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -496,6 +496,10 @@ private function registerFormConfiguration(array $config, ContainerBuilder $cont
496496
}
497497

498498
if ($this->isConfigEnabled($container, $config['form']['csrf_protection'])) {
499+
if (!$container->hasDefinition('security.csrf.token_generator')) {
500+
throw new \LogicException('To use form CSRF protection `framework.csrf_protection` must be enabled.');
501+
}
502+
499503
$loader->load('form_csrf.xml');
500504

501505
$container->setParameter('form.type_extension.csrf.enabled', true);
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
<?php
2+
3+
$container->loadFromExtension('framework', [
4+
'csrf_protection' => false,
5+
'form' => [
6+
'csrf_protection' => true,
7+
],
8+
]);
Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
<?xml version="1.0" ?>
2+
3+
<container xmlns="http://symfony.com/schema/dic/services"
4+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5+
xmlns:framework="http://symfony.com/schema/dic/symfony"
6+
xsi:schemaLocation="http://symfony.com/schema/dic/services
7+
https://symfony.com/schema/dic/services/services-1.0.xsd
8+
http://symfony.com/schema/dic/symfony
9+
https://symfony.com/schema/dic/symfony/symfony-1.0.xsd"
10+
>
11+
<framework:config>
12+
<framework:csrf-protection enabled="false"/>
13+
<framework:form enabled="true">
14+
<framework:csrf-protection enabled="true"/>
15+
</framework:form>
16+
</framework:config>
17+
</container>
Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
framework:
2+
csrf_protection: false
3+
form:
4+
csrf_protection: true

src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@
3232
use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
3333
use Symfony\Component\DependencyInjection\ChildDefinition;
3434
use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
35+
use Symfony\Component\DependencyInjection\Compiler\MergeExtensionConfigurationPass;
3536
use Symfony\Component\DependencyInjection\Compiler\ResolveInstanceofConditionalsPass;
3637
use Symfony\Component\DependencyInjection\ContainerBuilder;
3738
use Symfony\Component\DependencyInjection\ContainerInterface;
@@ -84,6 +85,14 @@ public function testFormCsrfProtection()
8485
$this->assertEquals('%form.type_extension.csrf.field_name%', $def->getArgument(2));
8586
}
8687

88+
public function testFormCsrfProtectionWithCsrfDisabled()
89+
{
90+
$this->expectException(\LogicException::class);
91+
$this->expectExceptionMessage('To use form CSRF protection `framework.csrf_protection` must be enabled.');
92+
93+
$this->createContainerFromFile('form_csrf_disabled');
94+
}
95+
8796
public function testPropertyAccessWithDefaultValue()
8897
{
8998
$container = $this->createContainerFromFile('full');

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy