Author: Kris.Wallsmith
Date: 2010-02-12 17:12:44 +0100 (Fri, 12 Feb 2010)
New Revision: 27954
Modified:
branches/1.3/lib/form/sfForm.class.php
branches/1.3/test/unit/form/sfFormTest.php
branches/1.4/lib/form/sfForm.class.php
branches/1.4/test/unit/form/sfFormTest.php
Log:
[1.3, 1.4] fixed enabling of local csrf protection when disabled globally
(closes #8228)
Modified: branches/1.3/lib/form/sfForm.class.php
===================================================================
--- branches/1.3/lib/form/sfForm.class.php 2010-02-12 16:08:19 UTC (rev
27953)
+++ branches/1.3/lib/form/sfForm.class.php 2010-02-12 16:12:44 UTC (rev
27954)
@@ -827,7 +827,7 @@
if ($this->isCSRFProtected())
{
- $this->setDefault(self::$CSRFFieldName,
$this->getCSRFToken(self::$CSRFSecret));
+ $this->setDefault(self::$CSRFFieldName,
$this->getCSRFToken($this->localCSRFSecret ? $this->localCSRFSecret :
self::$CSRFSecret));
}
$this->resetFormFields();
@@ -897,7 +897,7 @@
{
if (null === $secret)
{
- $secret = self::$CSRFSecret;
+ $secret = $this->localCSRFSecret ? $this->localCSRFSecret :
self::$CSRFSecret;
}
return md5($secret.session_id().get_class($this));
@@ -938,7 +938,7 @@
*/
public function enableLocalCSRFProtection($secret = null)
{
- $this->localCSRFSecret = $secret;
+ $this->localCSRFSecret = null === $secret ? true : $secret;
}
/**
Modified: branches/1.3/test/unit/form/sfFormTest.php
===================================================================
--- branches/1.3/test/unit/form/sfFormTest.php 2010-02-12 16:08:19 UTC (rev
27953)
+++ branches/1.3/test/unit/form/sfFormTest.php 2010-02-12 16:12:44 UTC (rev
27954)
@@ -10,7 +10,7 @@
require_once(dirname(__FILE__).'/../../bootstrap/unit.php');
-$t = new lime_test(155);
+$t = new lime_test(157);
class FormTest extends sfForm
{
@@ -82,6 +82,14 @@
}
}
+class TestForm4 extends FormTest
+{
+ public function configure()
+ {
+ $this->enableLocalCSRFProtection($this->getOption('csrf_secret'));
+ }
+}
+
sfForm::disableCSRFProtection();
// __construct()
@@ -175,9 +183,15 @@
$t->ok(!$f->isCSRFProtected(),'->disableLocalCSRFProtection() disabled CSRF
protection for the current form, even if the global CSRF protection is
enabled');
$f = new TestForm3(array(), array(), 'foo');
$t->ok(!$f->isCSRFProtected(),'->disableLocalCSRFProtection() disabled CSRF
protection for the current form, even a CSRF secret is provided in the
constructor');
+sfForm::disableCSRFProtection();
+$f = new TestForm4();
+$t->ok($f->isCSRFProtected(), '->enableLocalCSRFProtection() enables CSRF
protection when passed null and global CSRF is disabled');
+$f = new TestForm4(array(), array('csrf_secret' => '**localsecret**'));
+$t->ok($f->isCSRFProtected(), '->enableLocalCSRFProtection() enables CSRF
protection when passed a string global CSRF is disabled');
// ::getCSRFFieldName() ::setCSRFFieldName()
$t->diag('::getCSRFFieldName() ::setCSRFFieldName()');
+sfForm::enableCSRFProtection();
sfForm::setCSRFFieldName('_token_');
$f = new FormTest();
$v = $f->getValidatorSchema();
Modified: branches/1.4/lib/form/sfForm.class.php
===================================================================
--- branches/1.4/lib/form/sfForm.class.php 2010-02-12 16:08:19 UTC (rev
27953)
+++ branches/1.4/lib/form/sfForm.class.php 2010-02-12 16:12:44 UTC (rev
27954)
@@ -827,7 +827,7 @@
if ($this->isCSRFProtected())
{
- $this->setDefault(self::$CSRFFieldName,
$this->getCSRFToken(self::$CSRFSecret));
+ $this->setDefault(self::$CSRFFieldName,
$this->getCSRFToken($this->localCSRFSecret ? $this->localCSRFSecret :
self::$CSRFSecret));
}
$this->resetFormFields();
@@ -897,7 +897,7 @@
{
if (null === $secret)
{
- $secret = self::$CSRFSecret;
+ $secret = $this->localCSRFSecret ? $this->localCSRFSecret :
self::$CSRFSecret;
}
return md5($secret.session_id().get_class($this));
@@ -938,7 +938,7 @@
*/
public function enableLocalCSRFProtection($secret = null)
{
- $this->localCSRFSecret = $secret;
+ $this->localCSRFSecret = null === $secret ? true : $secret;
}
/**
Modified: branches/1.4/test/unit/form/sfFormTest.php
===================================================================
--- branches/1.4/test/unit/form/sfFormTest.php 2010-02-12 16:08:19 UTC (rev
27953)
+++ branches/1.4/test/unit/form/sfFormTest.php 2010-02-12 16:12:44 UTC (rev
27954)
@@ -10,7 +10,7 @@
require_once(dirname(__FILE__).'/../../bootstrap/unit.php');
-$t = new lime_test(155);
+$t = new lime_test(157);
class FormTest extends sfForm
{
@@ -82,6 +82,14 @@
}
}
+class TestForm4 extends FormTest
+{
+ public function configure()
+ {
+ $this->enableLocalCSRFProtection($this->getOption('csrf_secret'));
+ }
+}
+
sfForm::disableCSRFProtection();
// __construct()
@@ -175,9 +183,15 @@
$t->ok(!$f->isCSRFProtected(),'->disableLocalCSRFProtection() disabled CSRF
protection for the current form, even if the global CSRF protection is
enabled');
$f = new TestForm3(array(), array(), 'foo');
$t->ok(!$f->isCSRFProtected(),'->disableLocalCSRFProtection() disabled CSRF
protection for the current form, even a CSRF secret is provided in the
constructor');
+sfForm::disableCSRFProtection();
+$f = new TestForm4();
+$t->ok($f->isCSRFProtected(), '->enableLocalCSRFProtection() enables CSRF
protection when passed null and global CSRF is disabled');
+$f = new TestForm4(array(), array('csrf_secret' => '**localsecret**'));
+$t->ok($f->isCSRFProtected(), '->enableLocalCSRFProtection() enables CSRF
protection when passed a string global CSRF is disabled');
// ::getCSRFFieldName() ::setCSRFFieldName()
$t->diag('::getCSRFFieldName() ::setCSRFFieldName()');
+sfForm::enableCSRFProtection();
sfForm::setCSRFFieldName('_token_');
$f = new FormTest();
$v = $f->getValidatorSchema();
--
You received this message because you are subscribed to the Google Groups
"symfony SVN" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/symfony-svn?hl=en.
