Skip to content

Commit fab0d6d

Browse files
HeahDudeHeahDude
committed
[FrameworkBundle] Fail gracefully when forms use disabled CSRF
1 parent 92c7e6e commit fab0d6d

File tree

5 files changed

+42
-0
lines changed

5 files changed

+42
-0
lines changed

src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php

+4
Original file line numberDiff line numberDiff line change
@@ -496,6 +496,10 @@ private function registerFormConfiguration(array $config, ContainerBuilder $cont
496496
}
497497

498498
if ($this->isConfigEnabled($container, $config['form']['csrf_protection'])) {
499+
if (!$container->hasDefinition('security.csrf.token_generator')) {
500+
throw new \LogicException('To use form CSRF protection `framework.csrf_protection` must be enabled.');
501+
}
502+
499503
$loader->load('form_csrf.xml');
500504

501505
$container->setParameter('form.type_extension.csrf.enabled', true);

src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/form_csrf_disabled.php

+8
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
<?php
2+
3+
$container->loadFromExtension('framework', [
4+
'csrf_protection' => false,
5+
'form' => [
6+
'csrf_protection' => true,
7+
],
8+
]);

src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/form_csrf_disabled.xml

+17
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
<?xml version="1.0" ?>
2+
3+
<container xmlns="http://symfony.com/schema/dic/services"
4+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5+
xmlns:framework="http://symfony.com/schema/dic/symfony"
6+
xsi:schemaLocation="http://symfony.com/schema/dic/services
7+
https://symfony.com/schema/dic/services/services-1.0.xsd
8+
http://symfony.com/schema/dic/symfony
9+
https://symfony.com/schema/dic/symfony/symfony-1.0.xsd"
10+
>
11+
<framework:config>
12+
<framework:csrf-protection enabled="false"/>
13+
<framework:form enabled="true">
14+
<framework:csrf-protection enabled="true"/>
15+
</framework:form>
16+
</framework:config>
17+
</container>

src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/form_csrf_disabled.yml

+4
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
framework:
2+
csrf_protection: false
3+
form:
4+
csrf_protection: true

src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php

+9
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@
3232
use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
3333
use Symfony\Component\DependencyInjection\ChildDefinition;
3434
use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
35+
use Symfony\Component\DependencyInjection\Compiler\MergeExtensionConfigurationPass;
3536
use Symfony\Component\DependencyInjection\Compiler\ResolveInstanceofConditionalsPass;
3637
use Symfony\Component\DependencyInjection\ContainerBuilder;
3738
use Symfony\Component\DependencyInjection\ContainerInterface;
@@ -84,6 +85,14 @@ public function testFormCsrfProtection()
8485
$this->assertEquals('%form.type_extension.csrf.field_name%', $def->getArgument(2));
8586
}
8687

88+
public function testFormCsrfProtectionWithCsrfDisabled()
89+
{
90+
$this->expectException(\LogicException::class);
91+
$this->expectExceptionMessage('To use form CSRF protection `framework.csrf_protection` must be enabled.');
92+
93+
$this->createContainerFromFile('form_csrf_disabled');
94+
}
95+
8796
public function testPropertyAccessWithDefaultValue()
8897
{
8998
$container = $this->createContainerFromFile('full');

0 commit comments

Comments
 (0)