[FrameworkBundle] Fail gracefully when forms use disabled CSRF

HeahDude · HeahDude · commit 5990182698e2 · 2022-07-19T11:11:57.000+02:00
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
@@ -496,6 +496,10 @@ private function registerFormConfiguration(array $config, ContainerBuilder $cont
         }
 
         if ($this->isConfigEnabled($container, $config['form']['csrf_protection'])) {
+            if (!$container->hasDefinition('security.csrf.token_generator')) {
+                throw new \LogicException('To use form CSRF protection `framework.csrf_protection` must be enabled.');
+            }
+
             $loader->load('form_csrf.xml');
 
             $container->setParameter('form.type_extension.csrf.enabled', true);
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/form_csrf_disabled.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/form_csrf_disabled.php
@@ -0,0 +1,8 @@
+<?php
+
+$container->loadFromExtension('framework', [
+    'csrf_protection' => false,
+    'form' => [
+        'csrf_protection' => true,
+    ],
+]);
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/form_csrf_disabled.xml b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/form_csrf_disabled.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" ?>
+
+<container xmlns="http://symfony.com/schema/dic/services"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:framework="http://symfony.com/schema/dic/symfony"
+    xsi:schemaLocation="http://symfony.com/schema/dic/services
+            https://symfony.com/schema/dic/services/services-1.0.xsd
+            http://symfony.com/schema/dic/symfony
+            https://symfony.com/schema/dic/symfony/symfony-1.0.xsd"
+>
+    <framework:config>
+        <framework:csrf-protection enabled="false"/>
+        <framework:form enabled="true">
+            <framework:csrf-protection enabled="true"/>
+        </framework:form>
+    </framework:config>
+</container>
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/form_csrf_disabled.yml b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/form_csrf_disabled.yml
@@ -0,0 +1,4 @@
+framework:
+    csrf_protection: false
+    form:
+        csrf_protection: true
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php
@@ -84,6 +84,14 @@ public function testFormCsrfProtection()
         $this->assertEquals('%form.type_extension.csrf.field_name%', $def->getArgument(2));
     }
 
+    public function testFormCsrfProtectionWithCsrfDisabled()
+    {
+        $this->expectException(\LogicException::class);
+        $this->expectExceptionMessage('To use form CSRF protection `framework.csrf_protection` must be enabled.');
+
+        $this->createContainerFromFile('form_csrf_disabled');
+    }
+
     public function testPropertyAccessWithDefaultValue()
     {
         $container = $this->createContainerFromFile('full');

Original file line number	Diff line number	Diff line change
`@@ -496,6 +496,10 @@ private function registerFormConfiguration(array $config, ContainerBuilder $cont`
`496`	`496`	`}`
`497`	`497`
`498`	`498`	`if ($this->isConfigEnabled($container, $config['form']['csrf_protection'])) {`
	`499`	`+ if (!$container->hasDefinition('security.csrf.token_generator')) {`
	`500`	+ throw new \LogicException('To use form CSRF protection `framework.csrf_protection` must be enabled.');
	`501`	`+ }`
	`502`	`+`
`499`	`503`	`$loader->load('form_csrf.xml');`
`500`	`504`
`501`	`505`	`$container->setParameter('form.type_extension.csrf.enabled', true);`
Original file line number	Diff line number	Diff line change
`@@ -84,6 +84,14 @@ public function testFormCsrfProtection()`
`84`	`84`	`$this->assertEquals('%form.type_extension.csrf.field_name%', $def->getArgument(2));`
`85`	`85`	`}`
`86`	`86`
	`87`	`+ public function testFormCsrfProtectionWithCsrfDisabled()`
	`88`	`+ {`
	`89`	`+ $this->expectException(\LogicException::class);`
	`90`	+ $this->expectExceptionMessage('To use form CSRF protection `framework.csrf_protection` must be enabled.');
	`91`	`+`
	`92`	`+ $this->createContainerFromFile('form_csrf_disabled');`
	`93`	`+ }`
	`94`	`+`
`87`	`95`	`public function testPropertyAccessWithDefaultValue()`
`88`	`96`	`{`
`89`	`97`	`$container = $this->createContainerFromFile('full');`