[symfony-users] Re: filter causes CSRF attack

Fri, 05 Mar 2010 00:04:41 -0800 

Maybe this http://forum.symfony-project.org/index.php?t=msg&th=17867&;
or http://forum.symfony-project.org/index.php/m/75882/ or
http://forum.symfony-project.org/index.php/m/92096/ will help you.

On 4 bře, 10:45, mbernasocchi <mbernasoc...@gmail.com> wrote:
> sorry to bothe abain, but the pastebin expired... now it's all 
> here:http://pastebin.com/quQfBXTy
>
> and here:
>
> <?php
> /*
>  *filters.yml
> rendering: ~
>
> remember_me:
>   class: sfGuardRememberMeFilter
>
> clear_owner:
>   class: ownerFilter
>
> security:  ~
>
> # insert your own filters here
>
> cache:     ~
> execution: ~
>
> */
> /*
>  *security.yml
>  edit:
>   is_secure:  true
>   credentials: [[ admin, owner ]]               # admin OR owner
> */
>
> /**
>  * Description of ownerFilterclass
>  *
>  * @author marco
>  */
> class ownerFilter extends sfFilter {
>     public function execute($filterChain) {
>         $user = $this->getContext()->getUser();
>
>         $request = $this->getContext()->getRequest();
>         $model = 
> tools::getModelNameFromModule($request->getParameter('module'));
>
>         var_dump($request->getParameter('id'));
>         var_dump($model);
>
>         if ($model != null)
>         {
>           if (
>             $obj = 
> Doctrine::getTable($model)->find($request->getParameter('id'))
>
>                     AND $obj
>                     AND $user->getGuardUser() == $obj->getAuthor()
>             ) {
>                 $user->addCredential('owner');
>           }
>           else {
>               $user->removeCredential('owner');
>           }
>         }
>
>         // Execute next filter
>         $filterChain->execute();
>         //remove the owner credential
>         $user->removeCredential('owner');
>     }}
>
> ?>
>
> On Mar 4, 12:54 am, mbernasocchi <mbernasoc...@gmail.com> wrote:
>
>
>
> > hi all,
> > I've set up a filter to give and take away a dynamic owner credential
> > (so that only the author of the object can edit it). my problem is
> > that as soon as I activate the filter and try to perform an action
> > that needs the owner credential, symfony reports " _csrf_token [CSRF
> > attack detected.] "
>
> > the relevant code can be found here:http://pastebin.com/7tUuTuMKh
>
> > thanks in advance
>
> > MArco

-- 
If you want to report a vulnerability issue on symfony, please send it to 
security at symfony-project.com

You received this message because you are subscribed to the Google
Groups "symfony users" group.
To post to this group, send email to symfony-users@googlegroups.com
To unsubscribe from this group, send email to
symfony-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en

Reply via email to