Skip to content

Commit d848b8c

Browse files
nicolas-grekasnicolas-grekas
committed
Merge branch '5.3' into 5.4
* 5.3: Enable CSRF in FORM by default
2 parents 11b0d38 + fef224d commit d848b8c

File tree

5 files changed

+108
-59
lines changed

5 files changed

+108
-59
lines changed

DependencyInjection/FrameworkExtension.php

Lines changed: 66 additions & 59 deletions
Original file line numberDiff line numberDiff line change
@@ -345,26 +345,6 @@ public function load(array $configs, ContainerBuilder $container)
345345
$this->registerRequestConfiguration($config['request'], $container, $loader);
346346
}
347347

348-
if ($this->isConfigEnabled($container, $config['form'])) {
349-
if (!class_exists(Form::class)) {
350-
throw new LogicException('Form support cannot be enabled as the Form component is not installed. Try running "composer require symfony/form".');
351-
}
352-
353-
$this->formConfigEnabled = true;
354-
$this->registerFormConfiguration($config, $container, $loader);
355-
356-
if (ContainerBuilder::willBeAvailable('symfony/validator', Validation::class, ['symfony/framework-bundle', 'symfony/form'], true)) {
357-
$config['validation']['enabled'] = true;
358-
} else {
359-
$container->setParameter('validator.translation_domain', 'validators');
360-
361-
$container->removeDefinition('form.type_extension.form.validator');
362-
$container->removeDefinition('form.type_guesser.validator');
363-
}
364-
} else {
365-
$container->removeDefinition('console.command.form_debug');
366-
}
367-
368348
if ($this->isConfigEnabled($container, $config['assets'])) {
369349
if (!class_exists(\Symfony\Component\Asset\Package::class)) {
370350
throw new LogicException('Asset support cannot be enabled as the Asset component is not installed. Try running "composer require symfony/asset".');
@@ -373,39 +353,6 @@ public function load(array $configs, ContainerBuilder $container)
373353
$this->registerAssetsConfiguration($config['assets'], $container, $loader);
374354
}
375355

376-
if ($this->messengerConfigEnabled = $this->isConfigEnabled($container, $config['messenger'])) {
377-
$this->registerMessengerConfiguration($config['messenger'], $container, $loader, $config['validation']);
378-
} else {
379-
$container->removeDefinition('console.command.messenger_consume_messages');
380-
$container->removeDefinition('console.command.messenger_debug');
381-
$container->removeDefinition('console.command.messenger_stop_workers');
382-
$container->removeDefinition('console.command.messenger_setup_transports');
383-
$container->removeDefinition('console.command.messenger_failed_messages_retry');
384-
$container->removeDefinition('console.command.messenger_failed_messages_show');
385-
$container->removeDefinition('console.command.messenger_failed_messages_remove');
386-
$container->removeDefinition('cache.messenger.restart_workers_signal');
387-
388-
if ($container->hasDefinition('messenger.transport.amqp.factory') && !class_exists(AmqpTransportFactory::class)) {
389-
if (class_exists(\Symfony\Component\Messenger\Transport\AmqpExt\AmqpTransportFactory::class)) {
390-
$container->getDefinition('messenger.transport.amqp.factory')
391-
->setClass(\Symfony\Component\Messenger\Transport\AmqpExt\AmqpTransportFactory::class)
392-
->addTag('messenger.transport_factory');
393-
} else {
394-
$container->removeDefinition('messenger.transport.amqp.factory');
395-
}
396-
}
397-
398-
if ($container->hasDefinition('messenger.transport.redis.factory') && !class_exists(RedisTransportFactory::class)) {
399-
if (class_exists(\Symfony\Component\Messenger\Transport\RedisExt\RedisTransportFactory::class)) {
400-
$container->getDefinition('messenger.transport.redis.factory')
401-
->setClass(\Symfony\Component\Messenger\Transport\RedisExt\RedisTransportFactory::class)
402-
->addTag('messenger.transport_factory');
403-
} else {
404-
$container->removeDefinition('messenger.transport.redis.factory');
405-
}
406-
}
407-
}
408-
409356
if ($this->httpClientConfigEnabled = $this->isConfigEnabled($container, $config['http_client'])) {
410357
$this->registerHttpClientConfiguration($config['http_client'], $container, $loader, $config['profiler']);
411358
}
@@ -414,18 +361,12 @@ public function load(array $configs, ContainerBuilder $container)
414361
$this->registerMailerConfiguration($config['mailer'], $container, $loader);
415362
}
416363

417-
if ($this->notifierConfigEnabled = $this->isConfigEnabled($container, $config['notifier'])) {
418-
$this->registerNotifierConfiguration($config['notifier'], $container, $loader);
419-
}
420-
421364
$propertyInfoEnabled = $this->isConfigEnabled($container, $config['property_info']);
422-
$this->registerValidationConfiguration($config['validation'], $container, $loader, $propertyInfoEnabled);
423365
$this->registerHttpCacheConfiguration($config['http_cache'], $container, $config['http_method_override']);
424366
$this->registerEsiConfiguration($config['esi'], $container, $loader);
425367
$this->registerSsiConfiguration($config['ssi'], $container, $loader);
426368
$this->registerFragmentsConfiguration($config['fragments'], $container, $loader);
427369
$this->registerTranslatorConfiguration($config['translator'], $container, $loader, $config['default_locale'], $config['enabled_locales']);
428-
$this->registerProfilerConfiguration($config['profiler'], $container, $loader);
429370
$this->registerWorkflowConfiguration($config['workflows'], $container, $loader);
430371
$this->registerDebugConfiguration($config['php_errors'], $container, $loader);
431372
// @deprecated since Symfony 5.4, in 6.0 change to:
@@ -502,6 +443,72 @@ public function load(array $configs, ContainerBuilder $container)
502443
}
503444
$this->registerSecurityCsrfConfiguration($config['csrf_protection'], $container, $loader);
504445

446+
// form depends on csrf being registered
447+
if ($this->isConfigEnabled($container, $config['form'])) {
448+
if (!class_exists(Form::class)) {
449+
throw new LogicException('Form support cannot be enabled as the Form component is not installed. Try running "composer require symfony/form".');
450+
}
451+
452+
$this->formConfigEnabled = true;
453+
$this->registerFormConfiguration($config, $container, $loader);
454+
455+
if (ContainerBuilder::willBeAvailable('symfony/validator', Validation::class, ['symfony/framework-bundle', 'symfony/form'], true)) {
456+
$config['validation']['enabled'] = true;
457+
} else {
458+
$container->setParameter('validator.translation_domain', 'validators');
459+
460+
$container->removeDefinition('form.type_extension.form.validator');
461+
$container->removeDefinition('form.type_guesser.validator');
462+
}
463+
} else {
464+
$container->removeDefinition('console.command.form_debug');
465+
}
466+
467+
// validation depends on form, annotations being registered
468+
$this->registerValidationConfiguration($config['validation'], $container, $loader, $propertyInfoEnabled);
469+
470+
// messenger depends on validation being registered
471+
if ($this->messengerConfigEnabled = $this->isConfigEnabled($container, $config['messenger'])) {
472+
$this->registerMessengerConfiguration($config['messenger'], $container, $loader, $config['validation']);
473+
} else {
474+
$container->removeDefinition('console.command.messenger_consume_messages');
475+
$container->removeDefinition('console.command.messenger_debug');
476+
$container->removeDefinition('console.command.messenger_stop_workers');
477+
$container->removeDefinition('console.command.messenger_setup_transports');
478+
$container->removeDefinition('console.command.messenger_failed_messages_retry');
479+
$container->removeDefinition('console.command.messenger_failed_messages_show');
480+
$container->removeDefinition('console.command.messenger_failed_messages_remove');
481+
$container->removeDefinition('cache.messenger.restart_workers_signal');
482+
483+
if ($container->hasDefinition('messenger.transport.amqp.factory') && !class_exists(AmqpTransportFactory::class)) {
484+
if (class_exists(\Symfony\Component\Messenger\Transport\AmqpExt\AmqpTransportFactory::class)) {
485+
$container->getDefinition('messenger.transport.amqp.factory')
486+
->setClass(\Symfony\Component\Messenger\Transport\AmqpExt\AmqpTransportFactory::class)
487+
->addTag('messenger.transport_factory');
488+
} else {
489+
$container->removeDefinition('messenger.transport.amqp.factory');
490+
}
491+
}
492+
493+
if ($container->hasDefinition('messenger.transport.redis.factory') && !class_exists(RedisTransportFactory::class)) {
494+
if (class_exists(\Symfony\Component\Messenger\Transport\RedisExt\RedisTransportFactory::class)) {
495+
$container->getDefinition('messenger.transport.redis.factory')
496+
->setClass(\Symfony\Component\Messenger\Transport\RedisExt\RedisTransportFactory::class)
497+
->addTag('messenger.transport_factory');
498+
} else {
499+
$container->removeDefinition('messenger.transport.redis.factory');
500+
}
501+
}
502+
}
503+
504+
// notifier depends on messenger, mailer being registered
505+
if ($this->notifierConfigEnabled = $this->isConfigEnabled($container, $config['notifier'])) {
506+
$this->registerNotifierConfiguration($config['notifier'], $container, $loader);
507+
}
508+
509+
// profiler depends on form, validation, translation, messenger, mailer, http-client, notifier being registered
510+
$this->registerProfilerConfiguration($config['profiler'], $container, $loader);
511+
505512
$this->addAnnotatedClassesToCompile([
506513
'**\\Controller\\',
507514
'**\\Entity\\',

Tests/DependencyInjection/Fixtures/php/form_default_csrf.php

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
<?php
2+
3+
$container->loadFromExtension('framework', [
4+
'form' => [
5+
'legacy_error_messages' => false,
6+
],
7+
'session' => [
8+
'storage_factory_id' => 'session.storage.factory.native',
9+
'handler_id' => null,
10+
],
11+
]);

Tests/DependencyInjection/Fixtures/xml/form_default_csrf.xml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
<?xml version="1.0" ?>
2+
3+
<container xmlns="http://symfony.com/schema/dic/services"
4+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5+
xmlns:framework="http://symfony.com/schema/dic/symfony"
6+
xsi:schemaLocation="http://symfony.com/schema/dic/services https://symfony.com/schema/dic/services/services-1.0.xsd
7+
http://symfony.com/schema/dic/symfony https://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
8+
9+
<framework:config>
10+
<framework:form enabled="true" legacy-error-messages="false" />
11+
<framework:session storage-factory-id="session.storage.factory.native" handler-id="null"/>
12+
</framework:config>
13+
</container>

Tests/DependencyInjection/Fixtures/yml/form_default_csrf.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
framework:
2+
form:
3+
legacy_error_messages: false
4+
session:
5+
storage_factory_id: session.storage.factory.native
6+
handler_id: null

Tests/DependencyInjection/FrameworkExtensionTest.php

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -158,6 +158,18 @@ public function testCsrfProtectionForFormsEnablesCsrfProtectionAutomatically()
158158
$this->assertTrue($container->hasDefinition('security.csrf.token_manager'));
159159
}
160160

161+
public function testFormsCsrfIsEnabledByDefault()
162+
{
163+
if (class_exists(FullStack::class)) {
164+
$this->markTestSkipped('testing with the FullStack prevents verifying default values');
165+
}
166+
$container = $this->createContainerFromFile('form_default_csrf');
167+
168+
$this->assertTrue($container->hasDefinition('security.csrf.token_manager'));
169+
$this->assertTrue($container->hasParameter('form.type_extension.csrf.enabled'));
170+
$this->assertTrue($container->getParameter('form.type_extension.csrf.enabled'));
171+
}
172+
161173
public function testHttpMethodOverride()
162174
{
163175
$container = $this->createContainerFromFile('full');

0 commit comments

Comments
 (0)