Hello guys, Just a thought:
Wouldn't it be possible to hack the csrf token generation to add a salt based on the primary key or whatever field you don't want to be changed? If hacking the csrf itself is not possible, why not implementing something similar in the doctrine base form? 2010/5/10 Michał Piotrowski <[email protected]> > 2010/5/10 Tom Boutell <[email protected]>: > > The bind() call in processForm() allows the ID in the submitted form > > to override what you just checked. > > Ok, I'm starting to understand now. > > But CSRF protection should protect against malicious forms crafted by > someone else. > > > (Unless you've hacked up your > > processForm, which I can't see. But if it's the standard CRUD one > > that's what will happen.) > > -- > If you want to report a vulnerability issue on symfony, please send it to > security at symfony-project.com > > You received this message because you are subscribed to the Google > Groups "symfony developers" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected]<symfony-devs%[email protected]> > For more options, visit this group at > http://groups.google.com/group/symfony-devs?hl=en > -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
