Details
-
Improvement
-
Resolution: Fixed
-
High
-
5.0, 5.1, 5.2, 5.3
-
Castor Core S1, Castor Core S2
Description
People attempting to user Symfony forms have a lot of issues with ezformtoken.
Current workarounds are to either manually add legacy formtoken to the form in addition to the main one already there added by the symfony forms code, another is to completely disable it for frontend combined with disallowing login in frontend to avoid attacks there, only enabling it for backend.
Reason for the issue is in most cases:
- symfony csrf intention property for legacy kernel (ezformtoken) is "legacy"
- while for REST and symfony forms it is, and should be for best practice, something else
It is impossible to detect this in legacy alone in a secure way.
However if all code calling legacy for low-level legacy callbacks got access to pass a feature flag to disable formtoken for the length of the callback, theoretically this would solve most of the issues and avoid needs for workarounds.
Forum posts:
- http://share.ez.no/forums/ez-publish-5-platform/missing-form-token
- http://share.ez.no/forums/ez-publish-5-platform/missing-form-token-still-there
- http://share.ez.no/forums/ez-publish-5-platform/ez-5.3-problem-exception-token-ajax-on-delete-node
- http://share.ez.no/forums/ez-publish-5-platform/missing-form-token-from-request
Attachments
Issue Links
- relates to
-
EZP-23295 Formtoken exception when copying subtree
- Closed