search

dachcom-digital / pimcore-members

Pimcore Object, Asset and Document Restriction & Frontend Authentication
Other
54 stars 34 forks source link

CSRF and form validation is triggered when visiting password reset request page #188

Closed dolmit-tanel-paaro closed 11 months ago

dolmit-tanel-paaro commented 11 months ago
Q A
Bug report? yes
Feature request? no
BC Break report? no
RFC? no

CSRF token and form fields validation is triggered for form rendering. This is caused by calling $form->handleRequest($request).

Why is this method called at that point where the goal is to simply render the form?

Reference: https://github.com/dachcom-digital/pimcore-members/blob/v4.1.1/src/MembersBundle/Controller/ResettingController.php#L53C9-L53C9 Route: members_user_resetting_request
Version: v4.1.1 (Pimcore v10.6.9)

Note: this issue was present also in the older version when our Pimcore was at v6.9 but didn't bother reporting back then.

image The view for members_user_resetting_request route

dolmit-tanel-paaro commented 11 months ago

I see that this behavior is the same for the latest version too. See: https://github.com/dachcom-digital/pimcore-members/blob/a38e1353407a7ca8fb4dfe62716a063e5c577126/src/Controller/ResettingController.php#L38

solverat commented 11 months ago

As you can see here

https://github.com/symfony/symfony/blob/e84257aafc0a77b07257d420447fb56e03ac2518/src/Symfony/Component/Form/Extension/HttpFoundation/HttpFoundationRequestHandler.php#L51-L53

...the request gets handled only if a specific method is requested, namely POST. I'm not sure which setup you're using, but maybe you've changed it to GET? However, this form should submit its values via POST to prevent logging sensitive data on server side.

dolmit-tanel-paaro commented 11 months ago

Okay... now I see - our project is using CoreShop and it's ResourceBundle overrides HttpFoundationRequestHandler.
See: HttpFoundationRequestHandler override

It specifically has removed form method and request method comparison check (mentioned in the class signature 😄). I suppose I have to ask CoreShop maintainers why it was done like that...

dolmit-tanel-paaro commented 11 months ago

I've asked the question from CoreShop team: https://github.com/coreshop/CoreShop/discussions/2442

dolmit-tanel-paaro commented 11 months ago

Hey, @solverat @dpfaffenbauer is asking the same question as I - why is form handling the request when form hasn't been submitted? See: https://github.com/coreshop/CoreShop/discussions/2442#discussioncomment-7513287

dolmit-tanel-paaro commented 11 months ago

This issue has been resolved on the side of Members bundle: