From 9e8231ff0b85b42a9f57fcf6d4f488a0535deedd Mon Sep 17 00:00:00 2001 From: Nicolas Grekas Date: Fri, 15 Dec 2017 06:43:42 +0100 Subject: [PATCH] [FrameworkBundle] Automatically enable the CSRF if component *+ session* are loaded --- .../DependencyInjection/Configuration.php | 10 +++++++++- .../DependencyInjection/FrameworkExtension.php | 9 +++++++-- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php index d5030fc9fe7c..9430c8775dd8 100644 --- a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php +++ b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php @@ -21,6 +21,7 @@ use Symfony\Component\Form\Form; use Symfony\Component\Lock\Lock; use Symfony\Component\Lock\Store\SemaphoreStore; +use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface; use Symfony\Component\Serializer\Serializer; use Symfony\Component\Translation\Translator; use Symfony\Component\Validator\Validation; @@ -142,7 +143,14 @@ private function addCsrfSection(ArrayNodeDefinition $rootNode) $rootNode ->children() ->arrayNode('csrf_protection') - ->canBeEnabled() + ->treatFalseLike(array('enabled' => false)) + ->treatTrueLike(array('enabled' => true)) + ->treatNullLike(array('enabled' => true)) + ->addDefaultsIfNotSet() + ->children() + // defaults to framework.session.enabled && !class_exists(FullStack::class) && interface_exists(CsrfTokenManagerInterface::class) + ->booleanNode('enabled')->defaultNull()->end() + ->end() ->end() ->end() ; diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php index 6f972ceaf466..ac0aa7e70392 100644 --- a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php +++ b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php @@ -17,6 +17,7 @@ use Symfony\Bundle\FrameworkBundle\Controller\AbstractController; use Symfony\Bundle\FrameworkBundle\Controller\Controller; use Symfony\Bundle\FrameworkBundle\Routing\AnnotatedRouteControllerLoader; +use Symfony\Bundle\FullStack; use Symfony\Component\Cache\Adapter\AbstractAdapter; use Symfony\Component\Cache\Adapter\AdapterInterface; use Symfony\Component\Cache\Adapter\ArrayAdapter; @@ -63,6 +64,7 @@ use Symfony\Component\Routing\Loader\AnnotationDirectoryLoader; use Symfony\Component\Routing\Loader\AnnotationFileLoader; use Symfony\Component\Security\Core\Security; +use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface; use Symfony\Component\Serializer\Encoder\DecoderInterface; use Symfony\Component\Serializer\Encoder\EncoderInterface; use Symfony\Component\Serializer\Mapping\Factory\CacheClassMetadataFactory; @@ -229,6 +231,11 @@ public function load(array $configs, ContainerBuilder $container) $this->registerRequestConfiguration($config['request'], $container, $loader); } + if (null === $config['csrf_protection']['enabled']) { + $config['csrf_protection']['enabled'] = $this->sessionConfigEnabled && !class_exists(FullStack::class) && interface_exists(CsrfTokenManagerInterface::class); + } + $this->registerSecurityCsrfConfiguration($config['csrf_protection'], $container, $loader); + if ($this->isConfigEnabled($container, $config['form'])) { if (!class_exists('Symfony\Component\Form\Form')) { throw new LogicException('Form support cannot be enabled as the Form component is not installed.'); @@ -249,8 +256,6 @@ public function load(array $configs, ContainerBuilder $container) $container->removeDefinition('console.command.form_debug'); } - $this->registerSecurityCsrfConfiguration($config['csrf_protection'], $container, $loader); - if ($this->isConfigEnabled($container, $config['assets'])) { if (!class_exists('Symfony\Component\Asset\Package')) { throw new LogicException('Asset support cannot be enabled as the Asset component is not installed.');