Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Use the form action URL in generated form hashes.
By including the URL in generated hash for secured forms we prevent a class of abuse where a user uses one secured form to post into a controller action the form was not originally intended for. These cross action requests could potentially violate developer's mental model of how SecurityComponent works and produce unexpected/undesirable outcomes. Thanks to Kurita Takashi for pointing this issue out, and suggesting a fix.
- Loading branch information
Showing
4 changed files
with
61 additions
and
25 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
f23d811
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not at all.
f23d811
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You need to fix your .htaccess or your nginx configuration so instead of:
index.php?url=$1
it only containsindex.php
for the rewrite target.