mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
#941 - Security flaw: SS prone to CSRF attack
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@43901 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
parent
f807c9f8ca
commit
808d6875cb
@ -157,7 +157,7 @@ class Controller extends ViewableData {
|
||||
}
|
||||
|
||||
// Protection against CSRF attacks
|
||||
if($form->securityEnabled()) {
|
||||
if($form->securityTokenEnabled()) {
|
||||
$securityID = Session::get('SecurityID');
|
||||
|
||||
if(!$securityID || !isset($this->requestParams['SecurityID']) || $securityID != $this->requestParams['SecurityID']) {
|
||||
|
@ -174,7 +174,7 @@ class Form extends ViewableData {
|
||||
* @return FieldSet The form fields
|
||||
*/
|
||||
function Fields() {
|
||||
if($this->securityEnabled()) {
|
||||
if($this->securityTokenEnabled()) {
|
||||
if(Session::get('SecurityID')) {
|
||||
$securityID = Session::get('SecurityID');
|
||||
} else {
|
||||
@ -686,7 +686,7 @@ class Form extends ViewableData {
|
||||
* against CSRF attacks, but you should disable this if you don't want to tie
|
||||
* a form to a session - eg a search form.
|
||||
*/
|
||||
function disableSecurity() {
|
||||
function disableSecurityToken() {
|
||||
$this->security = false;
|
||||
}
|
||||
|
||||
@ -696,7 +696,7 @@ class Form extends ViewableData {
|
||||
*
|
||||
* @return bool
|
||||
*/
|
||||
function securityEnabled() {
|
||||
function securityTokenEnabled() {
|
||||
return $this->security;
|
||||
}
|
||||
|
||||
|
@ -36,6 +36,8 @@ class SearchForm extends Form {
|
||||
$fields->push(new HiddenField("executeForm", null, $name));
|
||||
|
||||
parent::__construct($controller, $name, $fields, $actions);
|
||||
|
||||
$this->disableSecurityToken();
|
||||
}
|
||||
|
||||
function FormMethod() {
|
||||
|
@ -17,35 +17,35 @@
|
||||
* @author Markus Lanthaler <markus@silverstripe.com>
|
||||
*/
|
||||
abstract class LoginForm extends Form {
|
||||
function __construct($controller, $name, $fields, $actions) {
|
||||
parent::__construct($controller, $name, $fields, $actions);
|
||||
|
||||
$this->disableSecurityToken();
|
||||
}
|
||||
|
||||
/**
|
||||
* Authenticator class to use with this login form
|
||||
*
|
||||
* Set this variable to the authenticator class to use with this login
|
||||
* form.
|
||||
*
|
||||
* @var string
|
||||
*/
|
||||
protected $authenticator_class;
|
||||
/**
|
||||
* Authenticator class to use with this login form
|
||||
*
|
||||
* Set this variable to the authenticator class to use with this login
|
||||
* form.
|
||||
* @var string
|
||||
*/
|
||||
|
||||
protected $authenticator_class;
|
||||
|
||||
|
||||
/**
|
||||
* Get the authenticator class
|
||||
*
|
||||
* @return Authenticator Returns the authenticator class for this login
|
||||
* form.
|
||||
*/
|
||||
public function getAuthenticator() {
|
||||
if(!class_exists($this->authenticator_class) ||
|
||||
!is_subclass_of($this->authenticator_class, 'Authenticator')) {
|
||||
user_error('The form uses an invalid authenticator class!',
|
||||
E_USER_ERROR);
|
||||
return;
|
||||
}
|
||||
|
||||
return new $this->authenticator_class;
|
||||
}
|
||||
/**
|
||||
* Get the authenticator class
|
||||
* @return Authenticator Returns the authenticator class for this login form.
|
||||
*/
|
||||
|
||||
public function getAuthenticator() {
|
||||
if(!class_exists($this->authenticator_class) || !is_subclass_of($this->authenticator_class, 'Authenticator')) {
|
||||
user_error('The form uses an invalid authenticator class!', E_USER_ERROR);
|
||||
return;
|
||||
}
|
||||
|
||||
return new $this->authenticator_class;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
?>
|
Loading…
Reference in New Issue
Block a user