如何检查Symfony2中提供的CSRF令牌是否无效? [英] How can I check whether the supplied CSRF token is invalid in Symfony2?
问题描述
我创建了一个Symfony2表单并将其绑定到请求。在继续处理表单的其余部分之前,我需要明确确保CSRF令牌是否有效。
I have created a Symfony2 form and bound it to the Request. I need to explicitly ensure whether the CSRF token is valid/invalid before proceeding with the rest of the form.
$ form ['_ token'] -> isValid()抛出 OutOfBoundsException 并显示消息 Child _token不存在。
$form['_token']->isValid() throws OutOfBoundsException with message "Child _token does not exist."
我仍然可以验证呈现的表单是否包含 _token 字段。如果CSRF值无效,则 $ form-> isValid()返回false。
I can still verify that the rendered form contains _token field. In case that CSRF value is invalid, $form->isValid() returns false.
我是什么
更新1:
控制器(部分) ):
private function buildTestForm() {
$form = $this->createFormBuilder()
->add('name','text')
->getForm();
return $form;
}
/**
* @Route("/test/show_form", name="test.form.show")
* @Method("GET")
*/
public function showFormTest()
{
$form = $this->buildTestForm();
return $this->render('TestBundle::form_test.html.twig', array('form' => $form->createView()));
}
/**
* @Route("/test/submit_form", name="test.form.submit")
* @Method("POST")
*/
public function formTest()
{
$form = $this->buildTestForm();
$form->bind($this->getRequest());
if ($form['_token']->isValid()) {
return new Response('_token is valid');
} else {
return new Response('_token is invalid');
}
}
模板
{# Twig template #}
<form action="{{ path('test.form.submit') }}" method="post" {{ form_enctype(form) }}>
{{ form_widget(form) }}
<input type="submit" name="go" value="Test Form" />
</form>
推荐答案
没有书面方法可以手动检查csrf令牌。 Symfony自动验证此令牌的存在和准确性。 http://symfony.com/doc/current/book/forms。 html#csrf-protection
There is no documented way to check csrf token manually. Symfony automatically validates the presence and accuracy of this token. http://symfony.com/doc/current/book/forms.html#csrf-protection
但是有一个csrf提供程序:
However there is a csrf provider:
http://api.symfony.com/2.0/Symfony/组件/表单/扩展名/Csrf/CsrfProvider/SessionCsrfProvider.html
和
http://api.symfony.com/master/ Symfony /组件/表格/扩展名/Csrf/CsrfProvider/DefaultCsrfProvider.html
标记能够提供CSRF保护的类使用generateCsrfToken()方法生成CSRF
令牌。对于此方法,您
应该传递一个唯一的值,该值应保护
免受CSRF攻击。此值不必一定是
的秘密。此接口的实现负责添加
更多的秘密信息。
Marks classes able to provide CSRF protection You can generate a CSRF token by using the method generateCsrfToken(). To this method you should pass a value that is unique to the page that should be secured against CSRF attacks. This value doesn't necessarily have to be secret. Implementations of this interface are responsible for adding more secret information.
如果您想保护表单提交免受CSRF攻击,则
可以提供一个意图字符串。这样,您可以确保
表单只能绑定到设计用于处理该表单的页面,即
,即使用相同的意图字符串通过isCsrfTokenValid验证CSRF令牌
的页面()。
If you want to secure a form submission against CSRF attacks, you could supply an "intention" string. This way you make sure that the form can only be bound to pages that are designed to handle the form, that is, that use the same intention string to validate the CSRF token with isCsrfTokenValid().
您可以像这样检索提供程序
You can retrieve the provider like this
$csrf = $this->get('form.csrf_provider');
然后可以使用
public Boolean isCsrfTokenValid(string $intention, string $token)
Validates a CSRF token.
参数字符串$ intention生成
时使用的意图CSRF令牌字符串$ token浏览器提供的令牌
Parameters string $intention The intention used when generating the CSRF token string $token The token supplied by the browser
返回值布尔值浏览器提供的令牌是否正确
Return Value Boolean Whether the token supplied by the browser is correct
您需要找出表单使用的意图字符串。
You need to finde out the intention string used by your form.
SO上一些有趣的帖子:
Some interesting posts on SO:
这篇关于如何检查Symfony2中提供的CSRF令牌是否无效?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
