diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 000000000000..b2ce2a1f601a --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,7 @@ +CHANGELOG +========= + +7.3 +--- + + * feature #60537 [Form] Renaming the default CSRF token form field from `_token` to `_csrf_token` (ThomasLandauer) \ No newline at end of file diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php index f4e137f04b98..38c97da33e8d 100644 --- a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php +++ b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php @@ -253,7 +253,7 @@ private function addFormSection(ArrayNodeDefinition $rootNode, callable $enableI ->children() ->scalarNode('enabled')->defaultNull()->end() // defaults to framework.csrf_protection.enabled ->scalarNode('token_id')->defaultNull()->end() - ->scalarNode('field_name')->defaultValue('_token')->end() + ->scalarNode('field_name')->defaultValue('_csrf_token')->end() ->arrayNode('field_attr') ->performNoDeepMerging() ->normalizeKeys(false) diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php index c8142e98ab1a..5591558f7170 100644 --- a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php +++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php @@ -747,7 +747,7 @@ protected static function getBundleDefaultConfig() 'enabled' => !class_exists(FullStack::class), 'csrf_protection' => [ 'enabled' => null, // defaults to csrf_protection.enabled - 'field_name' => '_token', + 'field_name' => '_csrf_token', 'field_attr' => ['data-controller' => 'csrf-protection'], 'token_id' => null, ], diff --git a/src/Symfony/Component/Form/Extension/Csrf/CsrfExtension.php b/src/Symfony/Component/Form/Extension/Csrf/CsrfExtension.php index 33c4616b4cf6..73f4f792f3b3 100644 --- a/src/Symfony/Component/Form/Extension/Csrf/CsrfExtension.php +++ b/src/Symfony/Component/Form/Extension/Csrf/CsrfExtension.php @@ -32,7 +32,7 @@ public function __construct( protected function loadTypeExtensions(): array { return [ - new Type\FormTypeCsrfExtension($this->tokenManager, true, '_token', $this->translator, $this->translationDomain), + new Type\FormTypeCsrfExtension($this->tokenManager, true, '_csrf_token', $this->translator, $this->translationDomain), ]; } } diff --git a/src/Symfony/Component/Form/Extension/Csrf/Type/FormTypeCsrfExtension.php b/src/Symfony/Component/Form/Extension/Csrf/Type/FormTypeCsrfExtension.php index a12b9a41ee29..2f678a9cf0ec 100644 --- a/src/Symfony/Component/Form/Extension/Csrf/Type/FormTypeCsrfExtension.php +++ b/src/Symfony/Component/Form/Extension/Csrf/Type/FormTypeCsrfExtension.php @@ -32,7 +32,7 @@ class FormTypeCsrfExtension extends AbstractTypeExtension public function __construct( private CsrfTokenManagerInterface $defaultTokenManager, private bool $defaultEnabled = true, - private string $defaultFieldName = '_token', + private string $defaultFieldName = '_csrf_token', private ?TranslatorInterface $translator = null, private ?string $translationDomain = null, private ?ServerParams $serverParams = null, diff --git a/src/Symfony/Component/Form/Tests/DependencyInjection/FormPassTest.php b/src/Symfony/Component/Form/Tests/DependencyInjection/FormPassTest.php index f0ccd3f095fb..ec183580a697 100644 --- a/src/Symfony/Component/Form/Tests/DependencyInjection/FormPassTest.php +++ b/src/Symfony/Component/Form/Tests/DependencyInjection/FormPassTest.php @@ -102,7 +102,7 @@ public function testAddTaggedTypesToCsrfTypeExtension() $container->register('form.registry', FormRegistry::class); $container->register('form.type_extension.csrf', FormTypeCsrfExtension::class) - ->setArguments([null, true, '_token', null, 'validator.translation_domain', null, [], null]) + ->setArguments([null, true, '_csrf_token', null, 'validator.translation_domain', null, [], null]) ->setPublic(true); $container->setDefinition('form.extension', $this->createExtensionDefinition()); diff --git a/src/Symfony/Component/Security/Http/Attribute/IsCsrfTokenValid.php b/src/Symfony/Component/Security/Http/Attribute/IsCsrfTokenValid.php index 6226fb60bca5..2ee33e8a8db5 100644 --- a/src/Symfony/Component/Security/Http/Attribute/IsCsrfTokenValid.php +++ b/src/Symfony/Component/Security/Http/Attribute/IsCsrfTokenValid.php @@ -25,7 +25,7 @@ public function __construct( /** * Sets the key of the request that contains the actual token value that should be validated. */ - public ?string $tokenKey = '_token', + public ?string $tokenKey = '_csrf_token', /** * Sets the available http methods that can be used to validate the token. diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/IsCsrfTokenValidAttributeListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/IsCsrfTokenValidAttributeListenerTest.php index 6ce136ffc9a0..792ea3c7235a 100644 --- a/src/Symfony/Component/Security/Http/Tests/EventListener/IsCsrfTokenValidAttributeListenerTest.php +++ b/src/Symfony/Component/Security/Http/Tests/EventListener/IsCsrfTokenValidAttributeListenerTest.php @@ -28,7 +28,7 @@ class IsCsrfTokenValidAttributeListenerTest extends TestCase { public function testIsCsrfTokenValidCalledCorrectlyOnInvokableClass() { - $request = new Request(request: ['_token' => 'bar']); + $request = new Request(request: ['_csrf_token' => 'bar']); $csrfTokenManager = $this->createMock(CsrfTokenManagerInterface::class); $csrfTokenManager->expects($this->once()) @@ -68,7 +68,7 @@ public function testNothingHappensWithNoConfig() public function testIsCsrfTokenValidCalledCorrectly() { - $request = new Request(request: ['_token' => 'bar']); + $request = new Request(request: ['_csrf_token' => 'bar']); $csrfTokenManager = $this->createMock(CsrfTokenManagerInterface::class); $csrfTokenManager->expects($this->once()) @@ -90,7 +90,7 @@ public function testIsCsrfTokenValidCalledCorrectly() public function testIsCsrfTokenValidCalledCorrectlyInPayload() { - $request = new Request(server: ['headers' => ['content-type' => 'application/json']], content: json_encode(['_token' => 'bar'])); + $request = new Request(server: ['headers' => ['content-type' => 'application/json']], content: json_encode(['_csrf_token' => 'bar'])); $csrfTokenManager = $this->createMock(CsrfTokenManagerInterface::class); $csrfTokenManager->expects($this->once()) @@ -112,7 +112,7 @@ public function testIsCsrfTokenValidCalledCorrectlyInPayload() public function testIsCsrfTokenValidCalledCorrectlyWithCustomExpressionId() { - $request = new Request(query: ['id' => '123'], request: ['_token' => 'bar']); + $request = new Request(query: ['id' => '123'], request: ['_csrf_token' => 'bar']); $csrfTokenManager = $this->createMock(CsrfTokenManagerInterface::class); $csrfTokenManager->expects($this->once()) @@ -165,7 +165,7 @@ public function testIsCsrfTokenValidCalledCorrectlyWithCustomTokenKey() public function testIsCsrfTokenValidCalledCorrectlyWithInvalidTokenKey() { - $request = new Request(request: ['_token' => 'bar']); + $request = new Request(request: ['_csrf_token' => 'bar']); $csrfTokenManager = $this->createMock(CsrfTokenManagerInterface::class); $csrfTokenManager->expects($this->once()) @@ -209,7 +209,7 @@ public function testExceptionWhenInvalidToken() public function testIsCsrfTokenValidCalledCorrectlyWithDeleteMethod() { - $request = new Request(request: ['_token' => 'bar']); + $request = new Request(request: ['_csrf_token' => 'bar']); $request->setMethod('DELETE'); $csrfTokenManager = $this->createMock(CsrfTokenManagerInterface::class); @@ -232,7 +232,7 @@ public function testIsCsrfTokenValidCalledCorrectlyWithDeleteMethod() public function testIsCsrfTokenValidIgnoredWithNonMatchingMethod() { - $request = new Request(request: ['_token' => 'bar']); + $request = new Request(request: ['_csrf_token' => 'bar']); $request->setMethod('POST'); $csrfTokenManager = $this->createMock(CsrfTokenManagerInterface::class); @@ -254,7 +254,7 @@ public function testIsCsrfTokenValidIgnoredWithNonMatchingMethod() public function testIsCsrfTokenValidCalledCorrectlyWithGetOrPostMethodWithGetMethod() { - $request = new Request(request: ['_token' => 'bar']); + $request = new Request(request: ['_csrf_token' => 'bar']); $request->setMethod('GET'); $csrfTokenManager = $this->createMock(CsrfTokenManagerInterface::class); @@ -277,7 +277,7 @@ public function testIsCsrfTokenValidCalledCorrectlyWithGetOrPostMethodWithGetMet public function testIsCsrfTokenValidNoIgnoredWithGetOrPostMethodWithPutMethod() { - $request = new Request(request: ['_token' => 'bar']); + $request = new Request(request: ['_csrf_token' => 'bar']); $request->setMethod('PUT'); $csrfTokenManager = $this->createMock(CsrfTokenManagerInterface::class); @@ -301,7 +301,7 @@ public function testIsCsrfTokenValidCalledCorrectlyWithInvalidTokenKeyAndPostMet { $this->expectException(InvalidCsrfTokenException::class); - $request = new Request(request: ['_token' => 'bar']); + $request = new Request(request: ['_csrf_token' => 'bar']); $request->setMethod('POST'); $csrfTokenManager = $this->createMock(CsrfTokenManagerInterface::class); @@ -324,7 +324,7 @@ public function testIsCsrfTokenValidCalledCorrectlyWithInvalidTokenKeyAndPostMet public function testIsCsrfTokenValidIgnoredWithInvalidTokenKeyAndUnavailableMethod() { - $request = new Request(request: ['_token' => 'bar']); + $request = new Request(request: ['_csrf_token' => 'bar']); $request->setMethod('PUT'); $csrfTokenManager = $this->createMock(CsrfTokenManagerInterface::class);