From deb70aba15ba9d4cde24635f70a102f9f98ceab0 Mon Sep 17 00:00:00 2001
From: Kristof Van Cauwenbergh <kristof@king-foo.be>
Date: Tue, 7 Oct 2014 16:06:23 +0200
Subject: [PATCH] CSRF warning docs on
 Request::enableHttpMethodParameterOverride()

[HttpFoundation] fixed the docs so that it gives some explanation about how you are vulnerable to CSRF when you enable the httpMethodeParameterOverride
---
 src/Symfony/Component/HttpFoundation/Request.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/Symfony/Component/HttpFoundation/Request.php b/src/Symfony/Component/HttpFoundation/Request.php
index 9fd02cc2d148..a04b28f3e4b3 100644
--- a/src/Symfony/Component/HttpFoundation/Request.php
+++ b/src/Symfony/Component/HttpFoundation/Request.php
@@ -648,6 +648,9 @@ public static function normalizeQueryString($qs)
      *
      * Be warned that enabling this feature might lead to CSRF issues in your code.
      * Check that you are using CSRF tokens when required.
+     * If the HTTP method parameter override is enabled, an html-form with method "POST" can be altered
+     * and used to send a "PUT" or "DELETE" request via the _method request parameter.
+     * If these methods are not protected against CSRF, this presents a possible vulnerability.
      *
      * The HTTP method can only be overridden when the real HTTP method is POST.
      */