WanWizard
commented
11 years ago The framework doesn't have such a thing as "turning on CSRF Protection", so can you be more specific?
Closed AlbinoGeek closed 11 years ago
WanWizard
commented
11 years ago The framework doesn't have such a thing as "turning on CSRF Protection", so can you be more specific?
AlbinoGeek
commented
11 years ago Erm, yes? There's a configuration option that adds CSRF requirements to everything in config.php / security:
'security' => array(
'csrf_autoload' => true, // this
'csrf_token_key' => 'csrf_token', // and this
'csrf_expiration' => 3600, // and this
'uri_filter' => array('xss_clean'),
'input_filter' => array('css_clean'),
'output_filter' => array('Security::htmlentities'),
'htmlentities_flags' => ENT_QUOTES,
'htmlentities_double_encode' => false,
'auto_filter_output' => true,
'whitelisted_classes' => array(
'Fuel\\Core\\Response',
'Fuel\\Core\\View',
'Fuel\\Core\\ViewModel',
'Closure',
),
),With a default OIL generated scaffolding and the above config, when you attempt to submit any of the forums; you'll get a long-winded "csrf was missing or expired" error, (as the CSRF token was never added to the forms.
Adding them myself is easy enough ,but this seems like something the scaffolding should do for me:
in views/{name}/_form.php (at the end)
<?=Form::hidden(Config::get('security.csrf_token_key'), Security::fetch_token())?>
<?=Form::close()?> // insert the above before this lineAll that does is automatic checking, you still need to add it to your forms yourself.
Most people don't use that, because it triggers an exception during Fuel init, which can only be caught using a try/catch in your index.php. Most people handle it in the app, so you can display an error in the context of the controller that generates the form.
OIL doesn't check whether you have CSRF Protection turned on as it should, thus the generated scaffolding never contains token considerations.