堆栈内存溢出
  简体   繁体   English

Symfony 检测到 CSRF 攻击,即使通过 _csrf_token

[英]Symfony CSRF Attack Detected even when passing _csrf_token

 原文  2011-08-10 19:20:47       php/ forms/ symfony1/ csrf

问题描述

Here is my form:这是我的表格:

<form novalidate action="<?php echo url_for('article/submit') ?>" method="POST">
  <?php echo $form['title']->renderRow() ?>
  <?php echo $form['content']->renderRow() ?>
  <?php echo $form->renderHiddenFields() ?>
  <input type="submit" value="Save"/>
</form>

And looking at the generated HTML source, the _csrf_token IS in fact being rendered.查看生成的 HTML 源代码, _csrf_token实际上正在渲染。 Here is my action:这是我的行动:

public function executeSubmit(sfWebRequest $request)
{
  $this->forward404Unless($request->isMethod('post'));
  $request->checkCSRFProtection();

  die('submitting post...');
}

The error:错误:

_csrf_token [CSRF attack detected.]

Even in my action if I do a var_dump($_POST); die;即使在我的行动中,如果我执行var_dump($_POST); die; var_dump($_POST); die; I get:我得到:

Array
(
  [title] => string(8) "My title"
  [content] => string(10) "My Content"
  [_csrf_token] => string(32) "<my token here>"
)

So the csrf token is definitely being rendered and passed correctly.所以 csrf 令牌肯定会被正确渲染和传递。 What am I doing wrong?我究竟做错了什么?

Also, is there any documentation for checkCSRFProtection() anywhere?另外,在任何地方checkCSRFProtection()的任何文档吗? The API doc's dont' say anything about it besides acknowledging it's existence. API 文档除了承认它的存在外,什么也没说。

1 个解决方案

解决方案1
 4 已采纳  2011-08-10 19:36:57

A few things to check:需要检查的几件事:

( Source: From http://oldforum.symfony-project.org/index.php/t/17867/ ) 来源:来自http://oldforum.symfony-project.org/index.php/t/17867/

Be sure you have defined your "secret" in your settings:确保您在设置中定义了“秘密”:

csrf_secret: ThisIsMySecret  # Unique secret to enable CSRF protection or false to disable`

Also, based on what I've gathered from that form post, CSRF protection checking is done automatically in $this->form->isValid() , so your call to $request->checkCSRFProtection() is unnecessary if you are already checking if the form is valid.此外,根据我从该表单帖子中收集到的信息,CSRF 保护检查是在$this->form->isValid()中自动完成的,因此如果您已经在检查,则无需调用$request->checkCSRFProtection()如果表格有效。 If not, add $this->form->isValid() .如果没有,请添加$this->form->isValid()

It would also seem that $request->checkCSRFProtection() doesn't work with forms; $request->checkCSRFProtection()似乎也不适用于 forms; it's purpose (if I'm correct) is to validate requests served when a user clicks a link.它的目的(如果我是正确的)是验证用户单击链接时提供的请求。 When CSRF protection is enabled, link_to() automatically adds CSRF protection to the links it generates.启用 CSRF 保护后, link_to()会自动将 CSRF 保护添加到它生成的链接中。 So, basically, the CSRF protection for a form is different for that of a request that didn't originate from a form.因此,基本上,表单的 CSRF 保护与并非源自表单的请求的保护不同。

See this ticket for more details: http://trac.symfony-project.org/ticket/7315有关更多详细信息,请参阅此票: http://trac.symfony-project.org/ticket/7315

Another ticket that may be of interest: http://trac.symfony-project.org/ticket/5698可能感兴趣的另一张票: http://trac.symfony-project.org/ticket/5698

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 csrf令牌:检测到CSRF攻击。 仅用于生产后端 - csrf token: CSRF attack detected. for backend in production only 即使在meta中设置了csrf_token,Laravel + ReactJS页面也会过期 - Laravel + ReactJS page expired even when csrf_token in meta is set PHP CSRF令牌攻击 - Php csrf token attack 使用csrf_token Laravel 5.4发送帖子时发送MethodNotAllowedException - MethodNotAllowedException when send post form with csrf_token Laravel 5.4 Laravel 5.4在发布到路由时为null csrf_token() - Laravel 5.4 null csrf_token() when posting to route 使用ajax提交数据时检测到CSRF攻击 - CSRF attack detected when submitting data using ajax Laravel 5 csrf_token与会话ID不匹配 - Laravel 5 csrf_token is mismatch with Session Id laravel 5 csrf_token值为空 - laravel 5 csrf_token value is Empty Laravel为单个路由禁用csrf_token - Laravel disable csrf_token for single route Symfony 5:CSRF 令牌无效 - Symfony 5: CSRF token is invalid
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM