CSRF protection is no help against a user who has limited legitimate privileges carrying out a malicious act to take control of an object that is not theirs. If I have edit privileges for my own profile (like, say, any user who signs up on many sites), I can now craft an attack to edit *anybody's* profile.
CSRF is about preventing third parties from crafting form submissions for innocent legitimate users to inadvertently submit. That's a different problem. I think your responses on this issue illustrate the fact that it is likely being misunderstood by many developers, resulting in security holes in many Symfony applications. 2010/5/10 Michał Piotrowski <[email protected]>: > 2010/5/10 Tom Boutell <[email protected]>: >> The bind() call in processForm() allows the ID in the submitted form >> to override what you just checked. > > Ok, I'm starting to understand now. > > But CSRF protection should protect against malicious forms crafted by > someone else. > >> (Unless you've hacked up your >> processForm, which I can't see. But if it's the standard CRUD one >> that's what will happen.) > > -- > If you want to report a vulnerability issue on symfony, please send it to > security at symfony-project.com > > You received this message because you are subscribed to the Google > Groups "symfony developers" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/symfony-devs?hl=en > -- Tom Boutell P'unk Avenue 215 755 1330 punkave.com window.punkave.com -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
