minor #12168 [HttpFoundation] CSRF warning docs on Request::enableHtt…

…pMethodParameterOverride() (Kristof Van Cauwenbergh) This PR was merged into the 2.3 branch. Discussion ---------- [HttpFoundation] CSRF warning docs on Request::enableHttpMethodParameterOverride() | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #12043 | License | MIT | Doc PR | / Since I wanted to understand this issue I did some research and altered the comment block. Is this a clear enough explanation or does it need more? Commits ------- deb70ab CSRF warning docs on Request::enableHttpMethodParameterOverride()
symfony · Nov 2, 2014 · 8d2c296 · 8d2c296
2 parents b7f8f4e + deb70ab
commit 8d2c296
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/src/Symfony/Component/HttpFoundation/Request.php b/src/Symfony/Component/HttpFoundation/Request.php
@@ -648,6 +648,9 @@ public static function normalizeQueryString($qs)
      *
      * Be warned that enabling this feature might lead to CSRF issues in your code.
      * Check that you are using CSRF tokens when required.
+     * If the HTTP method parameter override is enabled, an html-form with method "POST" can be altered
+     * and used to send a "PUT" or "DELETE" request via the _method request parameter.
+     * If these methods are not protected against CSRF, this presents a possible vulnerability.
      *
      * The HTTP method can only be overridden when the real HTTP method is POST.
      */