#941 - Security flaw: SS prone to CSRF attack

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@43901 467b73ca-7a2a-4603-9d3b-597d59a354a9

core/control/Controller.php

@@ -157,7 +157,7 @@ class Controller extends ViewableData {
 			}
 			
 			// Protection against CSRF attacks
-			if($form->securityEnabled()) {
+			if($form->securityTokenEnabled()) {
 				$securityID = Session::get('SecurityID');
 
 				if(!$securityID || !isset($this->requestParams['SecurityID']) || $securityID != $this->requestParams['SecurityID']) {

forms/Form.php

@@ -174,7 +174,7 @@ class Form extends ViewableData {
 	 * @return FieldSet The form fields
 	 */
 	function Fields() {
-		if($this->securityEnabled()) {
+		if($this->securityTokenEnabled()) {
 			if(Session::get('SecurityID')) {
 				$securityID = Session::get('SecurityID');
 			} else {
@@ -686,7 +686,7 @@ class Form extends ViewableData {
 	 * against CSRF attacks, but you should disable this if you don't want to tie 
 	 * a form to a session - eg a search form.
 	 */
-	function disableSecurity() {
+	function disableSecurityToken() {
 		$this->security = false;
 	}
 	
@@ -696,7 +696,7 @@ class Form extends ViewableData {
 	 *
 	 * @return bool
 	 */
-	function securityEnabled() {
+	function securityTokenEnabled() {
 		return $this->security;
 	}
 

search/SearchForm.php

@@ -36,6 +36,8 @@ class SearchForm extends Form {
 		$fields->push(new HiddenField("executeForm", null, $name));
 		
 		parent::__construct($controller, $name, $fields, $actions);
+		
+		$this->disableSecurityToken();
 	}
 	
 	function FormMethod() {

security/LoginForm.php

@@ -17,35 +17,35 @@
  * @author Markus Lanthaler <markus@silverstripe.com>
  */
 abstract class LoginForm extends Form {
+	function __construct($controller, $name, $fields, $actions) {
+		parent::__construct($controller, $name, $fields, $actions);
+		
+		$this->disableSecurityToken();	
+	}
 
-  /**
+	/**
-   * Authenticator class to use with this login form
+	 * Authenticator class to use with this login form
-   *
+	 * 
-   * Set this variable to the authenticator class to use with this login
+	 * Set this variable to the authenticator class to use with this login
-   * form.
+	 * form.
-   *
+	 * @var string
-   * @var string
+	 */
-   */
+	
-  protected $authenticator_class;
+	protected $authenticator_class;
 
-
+	/**
-  /**
+	 * Get the authenticator class
-   * Get the authenticator class
+	 * @return Authenticator Returns the authenticator class for this login form.
-   *
+	 */
-   * @return Authenticator Returns the authenticator class for this login
+	
-   *                       form.
+	public function getAuthenticator() {
-   */
+		if(!class_exists($this->authenticator_class) || !is_subclass_of($this->authenticator_class, 'Authenticator')) {
-  public function getAuthenticator() {
+			user_error('The form uses an invalid authenticator class!', E_USER_ERROR);
-    if(!class_exists($this->authenticator_class) ||
+			return;
-       !is_subclass_of($this->authenticator_class, 'Authenticator')) {
+		}
-      user_error('The form uses an invalid authenticator class!',
+		
-                 E_USER_ERROR);
+		return new $this->authenticator_class;
-      return;
+	}
-    }
-
-    return new $this->authenticator_class;
-  }
 }
 
-
 ?>