Maybe, but hacking it into CSRF is a torturous, circuitous route to do the obvious thing: stop passing the id in the form.
On Mon, May 10, 2010 at 10:10 AM, Marc Weistroff <[email protected]> wrote: > Hello guys, > > Just a thought: > > Wouldn't it be possible to hack the csrf token generation to add a salt > based on the primary key or whatever field you don't want to be changed? > > If hacking the csrf itself is not possible, why not implementing something > similar in the doctrine base form? > > 2010/5/10 Michał Piotrowski <[email protected]> >> >> 2010/5/10 Tom Boutell <[email protected]>: >> > The bind() call in processForm() allows the ID in the submitted form >> > to override what you just checked. >> >> Ok, I'm starting to understand now. >> >> But CSRF protection should protect against malicious forms crafted by >> someone else. >> >> > (Unless you've hacked up your >> > processForm, which I can't see. But if it's the standard CRUD one >> > that's what will happen.) >> >> -- >> If you want to report a vulnerability issue on symfony, please send it to >> security at symfony-project.com >> >> You received this message because you are subscribed to the Google >> Groups "symfony developers" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/symfony-devs?hl=en > > -- > If you want to report a vulnerability issue on symfony, please send it to > security at symfony-project.com > > You received this message because you are subscribed to the Google > Groups "symfony developers" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/symfony-devs?hl=en > -- Tom Boutell P'unk Avenue 215 755 1330 punkave.com window.punkave.com -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
