即使传递 _csrf_token 也检测到 Symfony CSRF 攻击
这是我的表单:
<form novalidate action="<?php echo url_for('article/submit') ?>" method="POST">
<?php echo $form['title']->renderRow() ?>
<?php echo $form['content']->renderRow() ?>
<?php echo $form->renderHiddenFields() ?>
<input type="submit" value="Save"/>
</form>
查看生成的 HTML 源代码,_csrf_token 实际上正在呈现。这是我的操作:
public function executeSubmit(sfWebRequest $request)
{
$this->forward404Unless($request->isMethod('post'));
$request->checkCSRFProtection();
die('submitting post...');
}
错误:
_csrf_token [CSRF attack detected.]
即使在我的操作中,如果我执行 var_dump($_POST); die; 我明白了:
Array
(
[title] => string(8) "My title"
[content] => string(10) "My Content"
[_csrf_token] => string(32) "<my token here>"
)
所以 csrf 令牌肯定被正确渲染和传递。我做错了什么?
另外,是否有任何地方的 checkCSRFProtection() 文档? API 文档除了承认它的存在之外,没有提及任何相关内容。
Here is my form:
<form novalidate action="<?php echo url_for('article/submit') ?>" method="POST">
<?php echo $form['title']->renderRow() ?>
<?php echo $form['content']->renderRow() ?>
<?php echo $form->renderHiddenFields() ?>
<input type="submit" value="Save"/>
</form>
And looking at the generated HTML source, the _csrf_token IS in fact being rendered. Here is my action:
public function executeSubmit(sfWebRequest $request)
{
$this->forward404Unless($request->isMethod('post'));
$request->checkCSRFProtection();
die('submitting post...');
}
The error:
_csrf_token [CSRF attack detected.]
Even in my action if I do a var_dump($_POST); die; I get:
Array
(
[title] => string(8) "My title"
[content] => string(10) "My Content"
[_csrf_token] => string(32) "<my token here>"
)
So the csrf token is definitely being rendered and passed correctly. What am I doing wrong?
Also, is there any documentation for checkCSRFProtection() anywhere? The API doc's dont' say anything about it besides acknowledging it's existence.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
有几点需要检查:(
来源:来自 http ://oldforum.symfony-project.org/index.php/t/17867/)
确保您已在设置中定义了您的“秘密”:
另外,根据我从该表单帖子中收集的内容、CSRF保护检查在
$this->form->isValid()中自动完成,因此如果您已经在检查,则无需调用$request->checkCSRFProtection()如果表格有效。如果没有,请添加$this->form->isValid()。似乎
$request->checkCSRFProtection()不适用于表单;它的目的(如果我是正确的)是验证用户单击链接时所提供的请求。启用 CSRF 保护后,link_to()会自动为其生成的链接添加 CSRF 保护。因此,基本上,表单的 CSRF 保护与并非源自表单的请求的保护不同。有关更多详细信息,请参阅此票证:http://trac.symfony-project.org/ticket/7315< /a>
另一张可能感兴趣的票证:http://trac.symfony-project.org/ticket/5698
A few things to check:
(Source: From http://oldforum.symfony-project.org/index.php/t/17867/)
Be sure you have defined your "secret" in your settings:
Also, based on what I've gathered from that form post, CSRF protection checking is done automatically in
$this->form->isValid(), so your call to$request->checkCSRFProtection()is unnecessary if you are already checking if the form is valid. If not, add$this->form->isValid().It would also seem that
$request->checkCSRFProtection()doesn't work with forms; it's purpose (if I'm correct) is to validate requests served when a user clicks a link. When CSRF protection is enabled,link_to()automatically adds CSRF protection to the links it generates. So, basically, the CSRF protection for a form is different for that of a request that didn't originate from a form.See this ticket for more details: http://trac.symfony-project.org/ticket/7315
Another ticket that may be of interest: http://trac.symfony-project.org/ticket/5698