防止在Drupal“GET”中呈现form_token形式 [英] Preventing form_token from rendering in Drupal "GET" forms
问题描述
Drupal在呈现表单时将一个form_token作为隐藏字段插入。然后在表单提交时检查form_token以防止跨站点请求伪造攻击。提交的表单数据保证来自Drupal提供的原始表单。
Drupal inserts a form_token as a hidden field when it renders forms. The form_token is then checked on form submission to prevent cross-site request forgery attacks. The form data that is submitted is guaranteed to have come from the original form rendered by Drupal.
但是,使用GET方法的表单不应该需要此标记。所有这一切都是延长和uglify所得到的URL。
However, forms using the "GET" method shouldn't need this token. All it does is lengthen and uglify the resulting URL.
有什么办法抑制它吗?
推荐答案
是的,有一种方式,但是有意识地使用它(见下面的警告):
创建表单,添加
$form['#token'] = FALSE;
到表单定义数组应该防止首先生成令牌。
to the form definition array should prevent a token from being generated in the first place.
如果您正在处理现有的表单,可以通过取消设置 hook_form_alter 上的'#token'元素来绕过令牌验证过程:
If you are dealing with an existing form, you can bypass the token validation process by unsetting the '#token' element on hook_form_alter:
// Example for removal of token validation from login (NOTE: BAD IDEA!)
function yourmodule_form_alter(&$form, &$form_state, $form_id) {
if ($form_id == 'user_login_block') {
unset($form['#token']);
}
}
警告:鉴于您的问题,我认为GET和POST请求之间的区别(更好的是缺少差异)存在一个误区。
Warning: Given your question, I think there is a slight misconception concerning the difference (better, the lack of a difference) between GET and POST requests.
表单上的
不需要这个标记。所有它
是延长和uglify生成的
URL。
... on forms using the "GET" method shouldn't need this token. All it does is lengthen and uglify the resulting URL.
这是错误的! GET和POST只是将数据从客户端传输到服务器的两种不同的方式,但是相当于的方法。由于POST更适合于传输大量数据(或格式不正确的数据),因此提交表单是既定的标准,但它并不比GET请求更安全/不安全或更安全/更不安全。这两种类型的请求都可能以相同的方式被恶意用户篡改,因此两种类型都应该使用相同的保护机制。
This is wrong! GET and POST are just two different, but mostly equivalent methods of transmitting data from the client to the server. Since POST is better suited to transfer large amounts of data (or difficult formatted data), it is the established standard for submitting forms, but it is in no way safer/unsafer or more/less secure than GET requests. Both type of requests can be tampered with by malicious users in the same ways, hence both types should use the same protection mechanisms.
GET请求,令牌与POST请求完全相同 - 它向服务器证明,提交的数据来自同一台机器上的同一浏览器,该请求是为其创建的。因此,如果您确定该请求不能通过XSRF被滥用,则应该删除它。
With a GET request, the token does exactly the same as with a POST request - it proves to the server that the submitted data comes from the same Browser on the same machine as the request he build the form for! So you should only remove it if you are sure that the request can not be misused via XSRF.
这篇关于防止在Drupal“GET”中呈现form_token形式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
