Skip to content

Commit 0eea7e9

Browse files
nicolas-grekasnicolas-grekas
committed
bug #25508 [FrameworkBundle] Auto-enable CSRF if the component *+ session* are loaded (nicolas-grekas)
This PR was merged into the 3.4 branch. Discussion ---------- [FrameworkBundle] Auto-enable CSRF if the component *+ session* are loaded | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | symfony/recipes#262 | License | MIT | Doc PR | - By binding CSRF and session default state, we provide better DX, but we also provide a way for bundles to enable session on its own: they just need to require "symfony/security-csrf". Yes, that's a side effect, but I think that's a nice one for 3.4/4.0. Of course, we might do better in 4.1, but for bug fix only releases, LGTM. Commits ------- 9e8231f [FrameworkBundle] Automatically enable the CSRF if component *+ session* are loaded
2 parents 3900e6c + a564728 commit 0eea7e9

File tree

2 files changed

+16
-3
lines changed

2 files changed

+16
-3
lines changed

DependencyInjection/Configuration.php

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@
2121
use Symfony\Component\Form\Form;
2222
use Symfony\Component\Lock\Lock;
2323
use Symfony\Component\Lock\Store\SemaphoreStore;
24+
use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
2425
use Symfony\Component\Serializer\Serializer;
2526
use Symfony\Component\Translation\Translator;
2627
use Symfony\Component\Validator\Validation;
@@ -142,7 +143,14 @@ private function addCsrfSection(ArrayNodeDefinition $rootNode)
142143
$rootNode
143144
->children()
144145
->arrayNode('csrf_protection')
145-
->canBeEnabled()
146+
->treatFalseLike(array('enabled' => false))
147+
->treatTrueLike(array('enabled' => true))
148+
->treatNullLike(array('enabled' => true))
149+
->addDefaultsIfNotSet()
150+
->children()
151+
// defaults to framework.session.enabled && !class_exists(FullStack::class) && interface_exists(CsrfTokenManagerInterface::class)
152+
->booleanNode('enabled')->defaultNull()->end()
153+
->end()
146154
->end()
147155
->end()
148156
;

DependencyInjection/FrameworkExtension.php

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@
1717
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
1818
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
1919
use Symfony\Bundle\FrameworkBundle\Routing\AnnotatedRouteControllerLoader;
20+
use Symfony\Bundle\FullStack;
2021
use Symfony\Component\Cache\Adapter\AbstractAdapter;
2122
use Symfony\Component\Cache\Adapter\AdapterInterface;
2223
use Symfony\Component\Cache\Adapter\ArrayAdapter;
@@ -65,6 +66,7 @@
6566
use Symfony\Component\Routing\Loader\AnnotationDirectoryLoader;
6667
use Symfony\Component\Routing\Loader\AnnotationFileLoader;
6768
use Symfony\Component\Security\Core\Security;
69+
use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
6870
use Symfony\Component\Serializer\Encoder\DecoderInterface;
6971
use Symfony\Component\Serializer\Encoder\EncoderInterface;
7072
use Symfony\Component\Serializer\Mapping\Factory\CacheClassMetadataFactory;
@@ -231,6 +233,11 @@ public function load(array $configs, ContainerBuilder $container)
231233
$this->registerRequestConfiguration($config['request'], $container, $loader);
232234
}
233235

236+
if (null === $config['csrf_protection']['enabled']) {
237+
$config['csrf_protection']['enabled'] = $this->sessionConfigEnabled && !class_exists(FullStack::class) && interface_exists(CsrfTokenManagerInterface::class);
238+
}
239+
$this->registerSecurityCsrfConfiguration($config['csrf_protection'], $container, $loader);
240+
234241
if ($this->isConfigEnabled($container, $config['form'])) {
235242
if (!class_exists('Symfony\Component\Form\Form')) {
236243
throw new LogicException('Form support cannot be enabled as the Form component is not installed.');
@@ -251,8 +258,6 @@ public function load(array $configs, ContainerBuilder $container)
251258
$container->removeDefinition('console.command.form_debug');
252259
}
253260

254-
$this->registerSecurityCsrfConfiguration($config['csrf_protection'], $container, $loader);
255-
256261
if ($this->isConfigEnabled($container, $config['assets'])) {
257262
if (!class_exists('Symfony\Component\Asset\Package')) {
258263
throw new LogicException('Asset support cannot be enabled as the Asset component is not installed.');

0 commit comments

Comments
 (0)