Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-22995

Disable ezformtoken for lowlevel legacy fallbacks

    Details

    • Sprint:
      Castor Core S1, Castor Core S2

      Description

      People attempting to user Symfony forms have a lot of issues with ezformtoken.
      Current workarounds are to either manually add legacy formtoken to the form in addition to the main one already there added by the symfony forms code, another is to completely disable it for frontend combined with disallowing login in frontend to avoid attacks there, only enabling it for backend.

      Reason for the issue is in most cases:

      • symfony csrf intention property for legacy kernel (ezformtoken) is "legacy"
      • while for REST and symfony forms it is, and should be for best practice, something else

      It is impossible to detect this in legacy alone in a secure way.
      However if all code calling legacy for low-level legacy callbacks got access to pass a feature flag to disable formtoken for the length of the callback, theoretically this would solve most of the issues and avoid needs for workarounds.

      Forum posts:

        Issue Links

          Activity

          Show
          André Rømcke added a comment - PR: https://github.com/ezsystems/ezpublish-kernel/pull/951
          Show
          André Rømcke added a comment - Merged: https://github.com/ezsystems/ezpublish-kernel/commit/f56c880daa4beb1857be29423c70667b61bd469f
          Hide
          Pedro Resende (Inactive) added a comment -

          Tested and approved by Q.A.

          Show
          Pedro Resende (Inactive) added a comment - Tested and approved by Q.A.
          Show
          André Rømcke added a comment - Merged fix: https://github.com/ezsystems/ezpublish-kernel/commit/6a3ada7208fdc6d253f61295c35af32a2233520c

            People

            • Assignee:
              Unassigned
              Reporter:
              André Rømcke
            • Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 day, 5 hours, 20 minutes
                1d 5h 20m

                  Agile