if you have an action like this:
public function executeRegister()
if ($this->getRequest()->getMethod() != sfRequest::POST)
//do something with the data
public function handleErrorRegister()
and a validator: register.yml
When you make a GET to myModule/register - shows form
When you make a POST to myModule/register - validation works, if it is not validated, returns you in the first page
When you make a GET to myModule/Register - note the caps R, it says it cannot find RegisteSuccess?.php (normal, as it is called registerSuccess.php)
When you make a POST to myModule/Register - the validator is ignored (because it does not exist with caps R), no template must be rendered, so no error regarding RegisterSuccess?.php, so what it does is going directly to "//do something with the data" section with no validation at all.
All this may lead to an attack on all applications using this kind of validation technique.
sfExecutionFilter.class.php modification at line 79
checkConfig() second parameter must not be true or false, but must be configurable.