Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-20289

Symfony CSRF protection not integrated with legacy

    XMLWordPrintable

    Details

    • Sprint:
      Stetind Sprint 4

      Description

      CSRF protection in 5.0 is not integrated with legacy, meaning forms across both kernels is impossible.

      However a look into how Symfony deal with this reveals that the fix is simple:

      • Inject the csrf framework.secret from symfony to legacy
      • Change ezformtoken to use this secret and generate token in the following way:
        • sha1( $this->secret . $intention . $this->session->getId() );
        • $intention can be set to "legacy"
        • there is no need to save it in the session anymore
      • (optional) Also inject Symfony yml param framework.csrf_protection.field_name and change ezformtoken to accept this form field name as well.

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            andre.romcke@ez.no André Rømcke
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 2 days
                2d
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 day, 2 hours, 6 seconds Time Not Required
                1d 2h