Ok. I see. On Fri, Feb 2, 2018 at 3:42 PM, Carl-Eric Menzel <[email protected]> wrote:
> GET requests can be triggered by someone opening a page with e.g. an > image URL pointing to that. In a small application, this URL can be > guessable. > But even if it weren't a security issue - I still would like to know why > there is this inconsistency between onFormSubmitted and > onFormSubmitted(submitter). > > On Fri, Feb 2, 2018, at 15:39, Ernesto Reinaldo Barreiro wrote: > > Ok. But does that posses a real security issue? i.e not logged used > > triggering a click on "that" button that does not exists for them? > > > > On Fri, Feb 2, 2018 at 3:36 PM, Carl-Eric Menzel > > <[email protected]>> wrote: > > > >> You're not wrong, but I'd still like to be able to block GET. And the>> > other question is **why** this check isn't done for forms with submit>> > components (I haven't tried it, but I suspect using a regular button>> > rather than an ajax button would run into the same issue). > >> > >> On Fri, Feb 2, 2018, at 14:45, Ernesto Reinaldo Barreiro wrote: > >>> Hi, > >>> > >>> Maybe I'm wrong but for AJAX only logged in user could get that > >>> REQUEST to> work because it is page relative. Or am I completely > >>> wrong?>>> > >>> On Thu, Feb 1, 2018 at 10:45 PM, Carl-Eric Menzel > >>> <[email protected]>> wrote: > >>> > >>>> Hi, > >>>> > >>>> I've just encountered an interesting oddity. For a normal form > >>>> submission,>> there is Form#onMethodMismatch where I can > >>>> decide what>> should > >>>> happen if>> somebody calls the form's URL with a GET request > >>>> rather than>>>> the usual>> POST. At least in 6.x and 7.x this is > called from > >>>> onFormSubmitted() - but>> not from onFormSubmitted(submitter). > >>>> > >>>> The result is that for forms that have an ajax button and thus > >>>> a valid>> submitter, I can't stop somebody building a GET > >>>> request and>>>> firing that>> against the button's URL. Theoretically > I could > >>>> override>>>> AjaxFormSubmitBehavior's onEvent method, but that > doesn't work > >>>> for ajax>> buttons, which build their own AjaxFormSubmitBehavior. > >>>> > >>>> On one of my current projects the customer is quite security- > >>>> minded and>> would like the application to block these GET > >>>> requests. My>>>> question is: Is>> it intentional that only the > regular > >> onFormSubmitted() method > >>>> checks this?>> If yes, I'd like to know the reasoning please. > >>>> If not,>> I'm going to > >>>> write a>> patch to fix this. > >>>> > >>>> Or maybe I'm missing something and am going the wrong way > >>>> entirely. In>> that case, let me know please. > >>>> > >>>> Carl-Eric > >>>> > >>> > >>> > >>> > >>> -- > >>> Regards - Ernesto Reinaldo Barreiro > >> > >> > > > > > > -- > > Regards - Ernesto Reinaldo Barreiro > > -- Regards - Ernesto Reinaldo Barreiro
