Hello,
I would like to know how can this works when we set _with_csrf
parameter on post / put ... parameter :
In sfBrowserBase we can see the wode below, that's great :
if (isset($parameters['_with_csrf']) &&
$parameters['_with_csrf'])
{
unset($parameters['_with_csrf']);
$form = new BaseForm();
$parameters[$form->getCSRFFieldName()] = $form-
>getCSRFToken();
}
But If we set the name format in a form, csrf field will change too :
class myForm extends BaseForm
{
public function setup()
{
$this->widgetSchema->setNameFormat('test[%s]');
}
}
//page.html
<input type="hidden" name="test[_csrf_token]" value=""/>
Then we post from functional test :
$browser->post( 'test.html', array('_with_csrf' => true, 'test' =>
array('foo' => 'bar')));
Obviously code in sfBrowserBase seems not working.
Cheers.
Ps : For now I set csrf_secret: false on test env :s
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony users" group.
To post to this group, send email to symfony-users@googlegroups.com
To unsubscribe from this group, send email to
symfony-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en
