[FrameworkBundle] Only enable CSRF protection when enabled in config #9252
Conversation
|
ping @bschussek |
| @@ -91,6 +87,12 @@ public function load(array $configs, ContainerBuilder $container) | |||
| $loader->load('test.xml'); | |||
| } | |||
|
|
|||
| if ($this->isConfigEnabled($container, $config['csrf_protection'])) { | |||
| // Enable services for CSRF protection (even without forms) | |||
| $loader->load('security.xml'); | |||
There was a problem hiding this comment.
The SecureRandom definition should not depend on the activation of CSRF
|
The "csrf_protection" setting is form specific, while the CSRF services are independent of forms. So your solution only works if you create a second configuration setting. |
|
@stof @bschussek Ok, so what about this:
I think this makes the most sense for now. |
|
@asm89 It does not. The |
|
@bschussek |
|
@bschussek Ok, I see what you mean. I was referring too much to the "old" situation. Any suggestions for naming the new configuration option? I'll add it + tests etc. That will mean that if you enable csrf protection for forms, you will also have to enable the security csrf stuff and session, but that's fine (and default). :) |
|
@stof Yes, that was what I thought, hence my suggestion above. In the "old" situation I guess "csrf_protection" only had impact on forms, but now you also get access to a token generator etc. |
|
What's the benefit of making this configurable? |
|
@asm89 the CSRF token generator was also exposed outside forms previously |
|
I pushed a new commit, now the secure random generator service is always created, the csrf stuff only if you enable it in the configuration. @bschussek We don't use it. By always loading |
|
@bschussek As the CSRF system has a dependency on the session, and the session system can be disabled (if you are building a stateless API for instance), it is important to allow disabling it (otherwise you forbid disabling the session) |
|
That's a good point then. The commit is still missing the changes to the configuration class, as well as a test case. Also, the setting should default to |
|
@bschussek which configuration change ? The config already exists as of 2.1 (or maybe even 2.0 but this is too old for me to remember). Your refactoring made it being ignored. @asm89 in 2.3, there is a LogicException being thrown when enabling the CSRF protection without enabling the session. You should also restore it |
|
@stof Sorry, my bad. I forgot that these two settings are already decoupled. 👍 then |
|
@stof Ok, so I'll restore the |
|
@asm89 Actually, you only need to move the exception. It is still thrown by the configuration of form in case the CSRF protection is enabled. The exception should be thrown by the registration of the CSRF system itself |
|
@stof @bschussek @fabpot Ok, we have to change the default configuration of the framework bundle. Currently we try to do the following by default:
But since csrf depends on session, this makes no sense. We can do one of the following:
For now I'll pushed the version where csrf is off by default. Note that the configuration shipped with symfony standard enables csrf, forms and sessions by default. |
|
I just came up with another option. We can/should introduce a new configuration option under the # this will throw an exception that it needs csrf_protection to be enabled
framework:
form: ~# this will throw an exception that it needs session to be enabled
framework:
csrf_protection: ~
form: ~# this is fine
framework:
csrf_protection: ~
form: ~
session: ~# this is also fine
framework:
form:
csrf_protection: falseI think by introducing an extra configuration setting |
|
@asm89 Please don't change the default value in the Configuration class, keeping the same than in 2.3. Anything else would be a BC break. |
|
@stof ok, but then the default configuration will throw a LogicException
|
|
ah sorry, the default is indeed not working anymore because of csrf_protection being enabled by default but not session. But as 2.3 loads the CSRF only when enabling forms, the default was working previously. We indeed need to change some default even if now fully BC (the only way to be fully BC would be to make the CSRF dependent on form again, which looks like a weird choice) Your proposal looks good to me. It is technically as small BC break (you have to list |
| $this->registerSessionConfiguration($config['session'], $container, $loader); | ||
| } | ||
|
|
||
| if (isset($config['csrf_protection'])) { | ||
| $this->registerSecurityConfiguration($config['csrf_protection'], $container, $loader); |
There was a problem hiding this comment.
This is wrong. As you moved the loading of security.xml into the method, it must always be called.
Please add a test checking that security.secure_random is available when disabling CSRF.
| ->arrayNode('csrf_protection') | ||
| ->canBeEnabled() | ||
| ->children() | ||
| ->scalarNode('field_name')->defaultValue('_token')->end() |
There was a problem hiding this comment.
should this field not be marked as deprecated because the option under form should be used instead?
There was a problem hiding this comment.
Yes, is there a way to do this in Di?
There was a problem hiding this comment.
just mention it's deprecated with ->info() and what to use instead
|
@fabpot I think this one is good to go. Should I mention the change in the changelog + add a note somewhere that the deprecated setting should be removed in 3.0? |
|
👍 looks good |
| ->children() | ||
| ->scalarNode('field_name') | ||
| ->defaultValue('_token') | ||
| ->info('Deprecated: use form.csrf_protection.field_name instead.') |
There was a problem hiding this comment.
You should add that the setting will be removed in 3.0.
|
@asm89 Can you add a note in the changelog? Also, anything that needs to be updated in the official documentation? Anything that needs to be tweaked in the default configuration of the Symfony SE (even if things are commented there)? |
|
@fabpot symfony SE config is fine and does not need to be updated. |
|
Docs update PR: symfony/symfony-docs#3114 |
|
@fabpot What file do you want the message in? The CHANGELOG files are generated afaik. Deprecation notice in UPGRADING-2.4 and a removal notice in UPGRADING-3.0? |
|
@asm89 not the changelog of the components between minor versions. The only generated changelogs are the changelogs for maintenance releases at the root of the repo |
Small addition to (doc string only): symfony#9252
This PR was merged into the master branch. Discussion ---------- [FrameworkBundle] Update deprecation message Small addition to (doc string only): symfony#9252 Commits ------- b057fab [FrameworkBundle] Update deprecation message
Small addition to (doc string only): symfony/symfony#9252
This PR was merged into the master branch. Discussion ---------- [FrameworkBundle] Update deprecation message Small addition to (doc string only): symfony/symfony#9252 Commits ------- b057fab [FrameworkBundle] Update deprecation message
bf85e83 introduced new service configuration for CSRF protection in the frameworkbundle. It is always enabled even if you don't use it. Since it also depends on enabling the session that's not so nice.