Development

Changeset 8158

You must first sign up to be able to contribute.

Changeset 8158

Show
Ignore:
Timestamp:
03/30/08 18:17:00 (1 year ago)
Author:
fabien
Message:

added a form_csrf_secret setting + disabled CSRF protection by default

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • branches/1.1/lib/config/config/settings.yml

    r7899 r8158  
    2020    compressed:             off       # Enable PHP response compression. Set to on to compress the outgoing HTML via the PHP handler. 
    2121    check_lock:             off       # Enable the application lock system triggered by the clear-cache and disable tasks. Set to on to have all requests to disabled applications redirected to the $sf_symfony_data_dir/web/arrors/unavailable.php page. 
     22 
     23    # Form security secret (CSRF protection) 
     24    form_csrf_secret:       false     # Unique secret to enable CSRF protection or false to disable 
    2225 
    2326    # Output escaping settings 

  • branches/1.1/lib/config/sfApplicationConfiguration.class.php

    r7962 r8158  
    103103    } 
    104104 
     105    if (false !== sfConfig::get('sf_form_csrf_secret')) 
     106    { 
     107      sfForm::enableCSRFProtection(sfConfig::get('sf_form_csrf_secret')); 
     108    } 
     109 
    105110    // force setting default timezone if not set 
    106111    if ($default_timezone = sfConfig::get('sf_default_timezone')) 

  • branches/1.1/lib/form/sfForm.class.php

    r7354 r8158  
    2424{ 
    2525  protected static 
    26     $CSRFProtection = true, 
     26    $CSRFProtection = false, 
    2727    $CSRFSecret     = null, 
    2828    $CSRFFieldName  = '_csrf_token'; 
     
    513513  static public function enableCSRFProtection($secret = null) 
    514514  { 
     515    if (false === $secret) 
     516    { 
     517      return self::disableCSRFProtection(); 
     518    } 
     519 
    515520    self::$CSRFProtection = true; 
    516521 

  • branches/1.1/lib/task/generator/skeleton/app/app/config/settings.yml

    r7899 r8158  
    4141#    compressed:             off       # Enable PHP response compression. Set to on to compress the outgoing HTML via the PHP handler. 
    4242#    check_lock:             off       # Enable the application lock system triggered by the clear-cache and disable tasks. Set to on to have all requests to disabled applications redirected to the $sf_symfony_data_dir/web/arrors/unavailable.php page. 
     43# 
     44#    # Form security secret (CSRF protection) 
     45#    form_csrf_secret:       false     # Unique secret to enable CSRF protection or false to disable 
    4346# 
    4447#    # Output escaping settings 

The Sensio Labs Network

Since 1998, Sensio Labs has been promoting the Open-Source software movement by providing quality web application development, training, consulting, and supporting several large Open-Source projects.

Open-Source Software

Services

> More