tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #6998 from AntonyThorpe/StrictFormMethodCheck

Browse Source 
Updated Form.php & 04_Form_Security.md  - strictFormMethodCheck to true
This commit is contained in:
Damian Mooyman 2017-06-06 23:06:11 +12:00 committed by GitHub
commit 8c0ced311f
2 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/en/02_Developer_Guides/03_Forms/04_Form_Security.md
View File

@ -47,18 +47,18 @@ application up to `CSRF` security holes.
## Strict Form Submission ## Strict Form Submission
Forms should be limited to the intended HTTP verb (mostly `GET` or `POST`) to further reduce attack exposure. Without To reduce attack exposure forms are limited, by default, to the intended HTTP verb (mostly `GET` or `POST`). Without
this check, forms that rely on `GET` can be submitted via `POST` or `PUT` or vice-versa potentially leading to this check, forms that rely on `GET` can be submitted via `POST` or `PUT` or vice-versa potentially leading to
application errors or edge cases. application errors or edge cases. If you need to disable this setting follow the below example:
:::php :::php
$form = new Form(..); $form = new Form(..);
$form->setFormMethod('POST'); $form->setFormMethod('POST');
$form->setStrictFormMethodCheck(true); $form->setStrictFormMethodCheck(false);
// or alternative short notation.. // or alternative short notation..
$form->setFormMethod('POST', true); $form->setFormMethod('POST', false);
## Spam and Bot Attacks ## Spam and Bot Attacks

6
src/Forms/Form.php
View File

@ -128,7 +128,7 @@ class Form extends ViewableData implements HasRequestHandler
/** /**
* @var boolean * @var boolean
*/ */
protected $strictFormMethodCheck = false; protected $strictFormMethodCheck = true;
/** /**
* Populated by {@link loadDataFrom()}. * Populated by {@link loadDataFrom()}.
@ -1036,13 +1036,13 @@ class Form extends ViewableData implements HasRequestHandler
} }
/** /**
* If set to true, enforce the matching of the form method. * If set to true (the default), enforces the matching of the form method.
* *
* This will mean two things: * This will mean two things:
* - GET vars will be ignored by a POST form, and vice versa * - GET vars will be ignored by a POST form, and vice versa
* - A submission where the HTTP method used doesn't match the form will return a 400 error. * - A submission where the HTTP method used doesn't match the form will return a 400 error.
* *
* If set to false (the default), then the form method is only used to construct the default * If set to false then the form method is only used to construct the default
* form. * form.
* *
* @param $bool boolean * @param $bool boolean