Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-22995

Disable ezformtoken for lowlevel legacy fallbacks

    XMLWordPrintable

    Details

    • Sprint:
      Castor Core S1, Castor Core S2

      Description

      People attempting to user Symfony forms have a lot of issues with ezformtoken.
      Current workarounds are to either manually add legacy formtoken to the form in addition to the main one already there added by the symfony forms code, another is to completely disable it for frontend combined with disallowing login in frontend to avoid attacks there, only enabling it for backend.

      Reason for the issue is in most cases:

      • symfony csrf intention property for legacy kernel (ezformtoken) is "legacy"
      • while for REST and symfony forms it is, and should be for best practice, something else

      It is impossible to detect this in legacy alone in a secure way.
      However if all code calling legacy for low-level legacy callbacks got access to pass a feature flag to disable formtoken for the length of the callback, theoretically this would solve most of the issues and avoid needs for workarounds.

      Forum posts:

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              andre.romcke@ez.no André Rømcke
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 5 hours, 20 minutes
                  1d 5h 20m