tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #2835 from kinglozzer/1891-csrf-friendly-error

Browse Source 
NEW: Forms with invalid/expired SecurityIDs are repopulated (fixes #1891)
This commit is contained in:
Ingo Schommer 2014-02-12 09:44:03 +13:00
commit 5e38ef9e55
2 changed files with 30 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
forms/Form.php
View File

@ -277,10 +277,20 @@ class Form extends RequestHandler {
// Protection against CSRF attacks
$token = $this->getSecurityToken();
if(!$token->checkRequest($request)) {
$this->httpError(400, _t("Form.CSRF_FAILED_MESSAGE",
"There seems to have been a technical problem. Please click the back button,"
. " refresh your browser, and try again."));
if( ! $token->checkRequest($request)) {
if (empty($vars['SecurityID'])) {
$this->httpError(400, _t("Form.CSRF_FAILED_MESSAGE",
"There seems to have been a technical problem. Please click the back button,
refresh your browser, and try again."));
} else {
Session::set("FormInfo.{$this->FormName()}.data", $this->getData());
Session::set("FormInfo.{$this->FormName()}.errors", array());
$this->sessionMessage(
_t("Form.CSRF_EXPIRED_MESSAGE", "Your session has expired. Please re-submit the form."),
"warning"
);
return $this->controller->redirectBack();
}
}
// Determine the action button clicked

15
tests/forms/FormTest.php
View File

@ -312,6 +312,21 @@ class FormTest extends FunctionalTest {
);
$this->assertEquals(400, $response->getStatusCode(), 'Submission fails without security token');
$response = $this->get('FormTest_ControllerWithSecurityToken');
$response = $this->post(
'FormTest_ControllerWithSecurityToken/Form',
array(
'Email' => 'test@test.com',
'action_doSubmit' => 1,
'SecurityID' => -1
)
);
$this->assertEquals(200, $response->getStatusCode(), 'Submission reloads form if security token invalid');
$matched = $this->cssParser()->getBySelector('#Form_Form_Email');
$attrs = $matched[0]->attributes();
$this->assertEquals('test@test.com', (string)$attrs['value'], 'Submitted data is preserved');
$response = $this->get('FormTest_ControllerWithSecurityToken');
$tokenEls = $this->cssParser()->getBySelector('#Form_Form_SecurityID');
$this->assertEquals(